iPhone Now Auto-Restarts to Protect Data in iOS 18.1

Last week, cybersecurity experts raised concerns about unusual iPhone behavior: devices were automatically restarting if they hadn’t connected to a cellular network for some time. Now, researchers have confirmed that with the release of iOS 18.1, Apple has introduced a new security feature in the operating system.

Recently, 404 Media obtained an interesting document in which law enforcement warned colleagues about strange iPhone behavior while devices were awaiting forensic examination. Experts noticed that iPhones could now restart on their own, making it much harder to unlock confiscated phones, such as those seized from criminals.

The reason is that a spontaneous restart switches the device from “After First Unlock” (AFU) mode to “Before First Unlock” (BFU) mode. This significantly complicates attempts to hack the device using existing forensic tools. In BFU mode, data extraction is nearly impossible, since even the operating system itself can no longer access the data using encryption keys stored in memory.

Neither then nor now has Apple responded to journalists’ questions about whether iOS 18 introduced a new protection feature causing devices to restart on their own, thereby complicating forensic work.

How the New Security Feature Works

However, these strange restarts caught the attention of information security experts. One of them, Jiska Classen from the Hasso Plattner Institute, discovered that iOS does indeed have a new protection mechanism. But the feature doesn’t work exactly as law enforcement had assumed.

“Apple added an inactivity reboot feature in iOS 18.1. It’s implemented in keybagd and the AppleSEPKeyStore kernel extension,” Classen wrote. “It doesn’t seem to be related to the phone’s network state. The key store is used when unlocking the device. So if you don’t unlock your iPhone for a certain period… it will restart!”

Developers from GrapheneOS explained to Bleeping Computer that on iOS devices, all data is encrypted using a key created during the initial setup of the operating system. When the iPhone is unlocked with a PIN or biometric data, the OS loads the encryption keys into memory.

After that, whenever access to a file is needed, it’s automatically decrypted using these keys. However, after a restart, the iPhone enters a “rest” state, meaning it no longer stores encryption keys in memory, making data decryption nearly impossible.

According to researchers, iOS 18.1 uses a special timer that restarts the device after four days of inactivity.