Apple’s latest iOS 18.1 update includes a new, unconfirmed security feature called “inactivity reboot” that adds an extra layer of protection for idle iPhones.
This automatic reboot feature is designed to re-encrypt data after a period of inactivity, making it more challenging for unauthorized parties to access.
Law enforcement officers first observed this feature when iPhones in custody began rebooting unexpectedly, a behavior initially reported by 404 Media. When the device reboots, it shifts from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where it’s significantly more secure against forensic unlocking tools.
The technical implementation of the inactivity reboot lies in keybagd and the AppleSEPKeyStore kernel extension, as explained by researcher Jiska Classen from the Hasso-Plattner-Institut. The feature seems unrelated to network status, as it’s triggered solely by device inactivity.
We've heard that iOS 18.1 is using a 4 day timer for auto-reboot after the device is locked, which is similar to the 72h default we used before moving to an 18h default. Our users can configure it between 10 minutes and 72 hours (or disabled) based on their tolerance for it.
— GrapheneOS (@GrapheneOS) November 9, 2024
Here’s how it works: on iOS, encryption keys for data access are stored in memory after a user unlocks the phone with a PIN or biometric data, like Face ID. If the device reboots, these keys are cleared from memory, putting the device in an “at rest” state and blocking data decryption without re-authentication. This security layer significantly hinders access for law enforcement or hackers who might attempt to bypass the lock screen on a locked device.
By rebooting after idle periods, iOS 18.1 automatically erases the in-memory decryption keys, adding a new obstacle to unauthorized data access. Apple has not officially commented on the feature, but it’s seen as a powerful enhancement to user privacy in the event a device is left unattended or falls into the wrong hands.
