How the new iPhone “anti-thief” feature works on iOS 18.1 which makes the smartphone restart

A iPhone’s new “anti-thief” featureintroduced by Apple with iOS 18.1was discovered in recent days by some security researchers. The system, called “Inactivity Reboot”forces the device to automatically restart if it is not unlocked for 72 consecutive hours. This reboot increases the security of the phone, as it blocks the encryption keys present in the Secure Enclave with which they are equipped SoC (System on a chip) of iPhones, making unauthorized access to data more difficult (but not impossible). The measure was designed to counter “cheap” forensic hacking tools that can be used by bad actors. However, it does not completely prevent access to data: for those with the right equipment (and technical skills), 72 hours may be enough to carry out an attack.

Inactivity Reboot on iPhone: how it works and why it is useful

The function Inactivity Reboot arises from the need to ensure greater protection of the iPhone by switching it from state AFU (After First Unlock) to the state BFU (Before First Unlock). In the first case, some of the information could be more vulnerable, even with the phone locked; in the second, the data remains completely encrypted, making it almost inaccessible without the correct passcode. These states are described by some IT experts as “hot” or “cold”. A researcher who calls himself Tihmstarexplains that «many forensic firms focus on “hot” devices in an AFU state, because at some point the user entered their correct passcode, which is stored in the iPhone’s secure enclave memory». “Cold” devices, on the other hand, are more difficult to compromise, as the data in their memory cannot be freely accessed upon reboot.

The implementation of idle restart has been confirmed by both independent researchers and specialized companies such as Magnet Forensicswhich provides tools for advanced digital analytics. The function was also analyzed by the researcher Jiska Classenwhich he shared on X (the former Twitter) a demo time-lapse video on how the mechanism comes into action after three days of inactivity (you can appreciate it below).

To help people understand the difference between a device in BFU state and one in AFU state, Classen published a very useful technical analysis on its personal blog, in which it explained:

The state (that your iPhone is in, Ed.) before you enter the passcode for the first time is also called Before First Unlock (BFU). Due to encrypted user data, your iPhone behaves slightly differently than subsequent unlocks. You will see that Face ID and Touch ID will not work and that the unlock code is required. But there are more subtle things you might notice: Because Wi-Fi passwords are encrypted, the iPhone won’t connect to Wi-Fi networks. If your SIM is not PIN protected, your iPhone will still connect to cellular networks. This means that, technically, you can still receive phone calls. However, if you receive a call, even if that number is in your contacts, the contact name will not be displayed, since the contacts have not yet been decrypted. Likewise, when you receive notifications about new messages, you will see the message notifications, but not their preview.

Regarding iPhones that are in AFU status, however, he stated:

In the state After First Unlock (AFU)the user data is decrypted. You can think of it as a key safe that is kept open while iOS is running. Even when you see a lock screen, some keys remain available to the operating system. This way, you stay connected to Wi-Fi networks and receive previews of message notifications, even when your iPhone is locked. While more convenient, the AFU state is more susceptible to attacks. An attacker who somehow manages to bypass the lock screen can gain access to the decrypted data on the iPhone. To bypass the lock screen, an attacker does not necessarily need to know the unlock code. Security vulnerabilities within iOS can allow attackers to gain code execution and extract it from an iPhone, even when it appears to be “locked.”

“Anti-thief” function on iOS 18.1: is 72 hours a lot or a little?

It is good to clarify, at this point, that the new function Inactivity Reboot will not make your iPhone unhackable: 72 hours is a compromise that leaves room for advanced unlock attemptsespecially by those who have a certain level of IT skills.

The aforementioned researcher Classen confirmed in this regard:

While rebooting due to inactivity makes it more difficult for law enforcement to obtain data from criminals’ devices, this will not completely block them. Three days is still more than enough to coordinate operations with professional analysts.