Reboot after inactivity: How Apple's new iOS security feature works
Undocumented and effective: Apple will in future send iPhones to restart after a certain period of inactivity. These are the exact reasons for this.
Apple logo on an iPhone.
(Image: Sebastian Trepesch)
Apple's iOS 18.1 function, which has not yet been officially confirmed and which automatically restarts devices after 72 hours without unlocking in order to better protect them against unlocking, has been subjected to further analysis. Security expert Jiska Classen from the Secure Mobile Networking Lab at TU Darmstadt reports in her blog that Apple uses special methods to ensure that the process cannot be aborted by attackers.
The important mode before the first PIN code entry
"The state before the passcode is entered for the first time is also referred to as "Before First Unlock" (BFU). Due to the encrypted user data, your iPhone behaves slightly differently than when it is unlocked later," writes Classen. Then, for example, the contacts are not yet decrypted and notifications also appear without content, even if this is enabled on the lockscreen. "In the "After First Unlock" (AFU) state, the user data is decrypted. You can think of it as a key safe that is kept open while iOS is running."
Classen was able to show with a code analysis that the new reboot function was implemented in iOS 18.1 – in 18.2 it will apparently be further improved. However, Apple has a trick up its sleeve if a process tries to cancel the reboot: if the kernel is prevented from doing so, a kernel panic is automatically triggered, which also initiates a reboot. Apple collects analysis data that later appears to be sent to the company. The entire reboot process is monitored via the Secure Enclave (SEP), which counts whether the 72 hours without an unlock have been reached. Using the SEP helps to make the process even less vulnerable.
Graykey should be able to partially unlock iOS 18 and 18.0.1
Magnet Forensics is now said to be able to "partially" unlock iOS 18 and 18.0.1. This was reported by 404 Media, citing leaked internal documents with details of its Graykey tool, which is sold to authorities. What this means in concrete terms initially remained unclear. iOS 18.1 should not be accessible to –, at least according to the then current beta versions –. iPhone 11 models (released in 2019), on the other hand, could be "fully" unlocked.
"Partial" access could mean, among other things, that law enforcement officers could access metadata such as file structure or file sizes and possibly also view unencrypted data. However, as mentioned, this is only possible in the "After First Unlock" status, so Apple's new forced reboot would be all the more important to protect the content. "Before First Unlock", the system is in a highly secured mode.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
