iPhones now auto-restart to block access to encrypted data after long idle times

Apple has added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically reboot after long idle periods to re-encrypt data and make it harder to extract.

While the company has yet to officially confirm this new “inactivity reboot” feature, law enforcement officers were the first to discover it after observing suspects’ iPhones restarting while in police custody, as first reported by 404 Media.

This switches the idle devices from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where the devices are more challenging to break using forensic phone unlocking tools.

Furthermore, DFU makes extracting stored data harder, if not impossible, since even the operating system itself can no longer access it using encryption keys stored in memory.

“Apple added a feature called “inactivity reboot” in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension,” as Hasso-Plattner-Institut researcher Jiska Classen explained.

“It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device. So if you don’t unlock your iPhone for a while… it will reboot!”

Simply put, on iOS devices, all data is encrypted using an encryption key created when the operating system is first installed/set up.

GrapheneOS told BleepingComputer that when an iPhone is unlocked using a PIN or biometric, like Face ID, the operating system loads the encryption keys into memory. After this, when a file needs to be accessed, it will automatically be decrypted using these encryption keys.

However, after an iPhone is rebooted, it goes into an “at rest” state, no longer storing encryption keys in memory. Thus, there is no way to decrypt the data, making it much more resistant to hacking attempts.

If law enforcement or malicious actors gain access to an already locked device, they can use exploits to bypass the lock screen. Since decryption keys are still loaded into memory, they can access all of the phone’s data.

Rebooting the device after an idle period will automatically wipe the keys from memory and prevent law enforcement or criminals from accessing your phone’s data.

An Apple spokesperson was not immediately available for comment when contacted by BleepingComputer earlier.