A recent report from 404 Media revealed that law enforcement officials are concerned about iPhones automatically rebooting, which makes these devices much more difficult to hack. Security researcher Jiska Klassen later discovered that this behavior was caused by a new feature called Inactivity Reboot, which has now been reverse engineered by Klassen.
Reverse engineering the iPhone's inactivity reboot feature
The researcher detailed in his blog how exactly the Inactivity Reboot feature was implemented by Apple, which did everything quietly without publicly announcing the new security feature. Based on iOS code, it was possible to confirm that Inactivity Reboot was implemented in iOS 18.1, although the beta code for iOS 18.2 suggests that Apple is still making improvements to how it works.
Contrary to what was previously believed, the security feature has nothing to do with wireless connectivity. Instead, it uses the Secure Enclave Processor (SEP) to track when the iPhone was last unlocked. If more than three days have passed since the last unlock, the SEP notifies the kernel, which kills Springboard (the iOS kernel) and initiates a reboot.
Unsurprisingly, Klassen says Apple has implemented ways to prevent hackers from bypassing this process. For example, if something prevents the kernel from rebooting the iPhone, the system will automatically trigger a kernel panic, which will cause the device to crash and reboot. The system also sends analytics data to Apple when the device enters an “aks-inactivity” state.
Because everything related to the silent reboot happens in the SEP rather than the main iOS kernel, it's much harder to bypass — even if the main kernel is compromised (such as with a jailbreak tool). As Klassen explained, little is known about the SEP because Apple keeps everything, including the firmware, secret.
When you reboot, the iPhone enters BFU mode, which encrypts all files on the device until the user enters the device's passcode. Even Cellebrite, a cybersecurity company that specializes in extracting data from locked iPhones, admits that retrieving data from a device in BFU mode is quite a challenge.
Apple cracks down on hacking tools
Cellebrite tool used to hack iPhones
Apple isn't saying why it implemented the Inactivity Reboot feature on iPhones with iOS 18, but the reasons seem pretty clear. The company certainly wants to combat tools like Cellebrite and the Pegasus spyware, which are often used by law enforcement. Of course, this also protects regular users whose data could be extracted after they have been the victim of theft or robbery.
More information about the reverse engineering of the idle reboot feature can be found on Jiska Klassen's blog.
- iPhone 16 firmware can now be restored wirelessly from another iPhone
- iPad mini 7 can also be restored wirelessly from another iOS device
