iPhones Mysteriously Rebooting Themselves
Law enforcement officials in Detroit, Michigan are warning other police officers about an alleged iPhone change that causes Apple devices stored for forensic examination to spontaneously restart, reports 404 Media.
iPhones that are undergoing examination have apparently been rebooting, which makes them harder to unlock with brute force methods, and Michigan police think that it’s due to a security feature that Apple added in iOS 18. A document found by 404 Media speculates that iPhones running iOS 18 are causing other iPhones to restart when those iPhones have been disconnected from a cellular network.
[…]
Matthew Green, a cryptographer and Johns Hopkins professor told 404 Media that the law enforcement officials’ hypothesis about iOS 18 devices is “deeply suspect,” but he was impressed with the concept.
[…]
Apple added an “inactivity reboot” feature in the iOS 18.1 update, but it does not relate to phone/wireless network state.
Update (2024-11-11): Jiska:
Apple indeed added a feature called “inactivity reboot” in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension. It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device.
Joseph Cox (post):
We’ve confirmed that Apple quietly introduced code that automatically reboots an iPhone if it hasn’t been unlocked after a period of time. This is why cops are being mysteriously locked out of iPhones they’re trying to search.
By restarting iPhones that remain locked for four days, Apple increases overall security, particularly for individuals at risk of having their iPhones confiscated by repressive regimes, with little or no inconvenience to regular users.
Does this affect background processes that you may have wanted to keep running?
It seems the cops believed iPhones were secretly communicating with each other because some of them were running older iOS versions, forgetting the explanation that satisfies Hanlon’s razor: iOS is kind of buggy.
Update (2024-11-15): Lorenzo Franceschi-Bicchierai (Hacker News, MacRumors):
On Wednesday, Jiska Classen, a researcher at the Hasso Plattner Institute and one of the first security experts to spot this new feature, published a video demonstrating the “inactivity reboot” feature. The video shows that an iPhone left alone without being unlocked reboots itself after 72 hours.
Magnet Forensics, a company that provides digital forensic products including the iPhone and Android data extraction tool Graykey, also confirmed that the timer for the feature is 72 hours.
Update (2024-11-18): JISKA (via Hacker News):
What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor.
[…]
Security-wise, this is a very powerful mitigation. An attacker must have kernel code execution to prevent an inactivity reboot. This means that a forensic analyst might be able to delay the reboot for the actual data extraction, but the initial exploit must be run within the first three days.
Inactivity reboot will change the threat landscape for both thieves and forensic analysts, but asymmetrically so: while law enforcement is under more time pressure, it likely completely locks out criminals from accessing your data to get into your bank accounts and other valuable information stored on your iPhone.
3 Comments RSS · Twitter · Mastodon
Isn't that a feature in the iPhone that if they are sitting in a store that they can start themselves and update themselves.
In-box updating apparently requires special hardware:
https://arstechnica.com/gadgets/2024/03/this-device-can-update-new-iphones-while-theyre-still-in-the-box/
My MBP mysteriously refused to connect to my home wifi unless I shared the password from a phone.
At the same time my wife's new work phone (that is the family's first iphone) mysteriously started getting popups saying I was requesting access to the wifi. Something I wasn't. I know the password. I created it.
