Researcher Deconstructs iPhone’s Inactivity Reboot Feature

0
67
Researcher Deconstructs iPhone’s Inactivity Reboot Feature

A recent investigation by 404 Media highlighted law enforcement’s concerns regarding iPhones that spontaneously restart, complicating attempts to compromise these devices. Security analyst Jiska Classen later identified this phenomenon as stemming from a newly introduced feature known as “Inactivity Reboot,” which Classen has successfully reverse-engineered.

Reverse Engineering the iPhone’s Inactivity Reboot Feature

The researcher elaborated in a blog post on the specific implementation of Inactivity Reboot by Apple, which was executed discreetly without any formal announcement. Analyzing the iOS code revealed that Inactivity Reboot first appeared in iOS 18.1, and subsequent beta code in iOS 18.2 indicates that Apple continues to refine its functionality.

Contrary to earlier assumptions, this security feature does not rely on wireless connectivity. Instead, it employs the Secure Enclave Processor (SEP) to monitor the time elapsed since the last unlocking of the iPhone. If the device remains unlocked for more than three days, the SEP signals the kernel to terminate Springboard (the iOS core) and initiates a reboot.

As Classen noted, Apple has established mechanisms to thwart attempts by hackers to circumvent this protocol. For instance, if the kernel encounters obstacles in rebooting the iPhone, the system automatically triggers a kernel panic, resulting in a crash and reboot of the device. Additionally, when an iPhone enters the “aks-inactivity” state, the system sends analytic data to Apple.

Because Inactivity Reboot operations are conducted within the SEP rather than the main iOS kernel, bypassing it proves considerably more difficult—even in the event that the main kernel is compromised (as might occur with a jailbreak tool). Classen pointed out that little information is publicly available regarding the SEP, as Apple keeps its firmware and related details tightly controlled.

Upon reboot, the iPhone shifts into Before First Unlock (BFU) mode, which encrypts all stored files until the user inputs the device’s passcode. Even Cellebrite, a cybersecurity firm known for extracting data from locked iPhones, recognizes that accessing data from a device in BFU mode presents significant challenges.

Cellebrite can't unlock iPhones running iOS 17.4 and later | One of the company's devices
Cellebrite tool used for hacking iPhones

Apple has not disclosed its reasons for integrating the Inactivity Reboot feature in iOS 18. However, the motivations appear to be clear. The company likely aims to thwart the use of tools like Cellebrite and Pegasus spyware, frequently employed by law enforcement. Additionally, this feature serves to safeguard everyday users who might have their data compromised following incidents of theft or robbery.

For further insights into the reverse engineering of the Inactivity Reboot feature, you can visit Jiska Classen’s blog.

FTC: We use income earning auto affiliate links. More.