Ethical Hacking News
Apple's "inactivity reboot" feature raises concerns over security and law enforcement in forensic analysis settings where iPhones await examination. The feature aims to enhance data security by erasing sensitive information from memory, but its potential impact on current tools used for forensic analysis is a pressing issue that requires immediate attention.
Apple has introduced "inactivity reboot" in iOS 18.1, which automatically reboots locked devices after extended periods of inactivity.The feature aims to enhance data security by erasing sensitive information from memory and preventing unauthorized extraction.The auto-reboot timer triggers after several days of inactivity, returning devices to a "Before First Unlock" state.Law enforcement officials have raised concerns about the impact on forensic analysis settings where tools like Cellebrite are used to unlock and analyze iPhones.The feature may cause problems for forensics labs where iPhones await examination, as it can erase sensitive data from memory.
Apple has recently introduced a new security feature called "inactivity reboot" in its latest iOS 18.1 update, which automatically reboots locked devices after extended periods of inactivity. This feature aims to enhance data security for users by erasing sensitive information from memory and preventing unauthorized extraction.
The new feature was quietly implemented in the release of iOS 18.1 at the end of October, with Apple having added an auto-reboot timer that triggers after several days of inactivity. The feature limits app access to encryption keys, returning devices to a "Before First Unlock" state. This move is expected to make it harder for law enforcement agencies to unlock and analyze iPhones that have been locked out due to lack of use.
Law enforcement officials have raised concerns about this new feature, with one document obtained by 404 Media warning that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them much harder to unlock. According to the document, some iPhones in a forensics lab, including those in Airplane mode or a Faraday box, rebooted unexpectedly, losing their "After First Unlock" (AFU) state.
In such situations, once the device reboots and goes into a "Before First Unlock" (BFU) state, it becomes more difficult to unlock and analyze using current tools. Three iPhones running iOS 18.0 were added to the lab on October 3, and officials hypothesize that these devices may have communicated with other iPhones in AFU mode, triggering a reboot if they were inactive or off-network.
Experts believe that the new security feature was implemented due to concerns over iPhone security in forensic analysis settings. Apple had added this feature as an update, which suggests its intention to enhance security rather than introduce potential issues.
In October, 404 Media reported that law enforcement warned that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them harder to unlock. This was corroborated by Dr.-Ing. Jiska Classen, a research group leader at the Hasso Plattner Institute, who tweeted about the code introduced in iOS 18.1.
According to Dr. Classen, Apple indeed added a feature called "inactivity reboot" in iOS 18.1 and that this is implemented in keybagd and the AppleSEPKeyStore kernel extension. She explained that it seems to have nothing to do with phone or wireless network state, but rather related to when unlocking the device.
The "inactivity reboot" feature was introduced as a response to concerns over iPhone security during forensic analysis. Its primary intention is to erase sensitive data from memory and enhance security for users by preventing unauthorized extraction of information.
However, experts are concerned that this new feature may cause problems in law enforcement settings where forensics tools like Cellebrite are used to analyze iPhones. The "inactivity reboot" feature limits app access to encryption keys, returning devices to a "Before First Unlock" state which makes it harder for current tools to crack BFU iPhones.
The document obtained by 404 Media noted that some iPhones in a forensics lab, including those in Airplane mode or a Faraday box, rebooted unexpectedly, losing their "After First Unlock" (AFU) state. This raises concerns over the impact of this feature on law enforcement and forensic analysis settings where tools like Cellebrite are used to unlock and analyze iPhones.
The experts believe that the auto-reboot timer introduced in iOS 18.1 is likely to cause problems for forensics labs where iPhones await examination. The document recommended isolating AFU devices from iOS 18 devices to prevent unexpected reboots that erase the AFU state, as well as taking inventory to check if any AFU devices have already rebooted.
In conclusion, Apple's "inactivity reboot" feature raises concerns over security and law enforcement in settings where iPhones await examination. While its intention is to enhance data security for users by preventing unauthorized extraction of information, experts believe that it may cause problems in forensic analysis settings due to the impact on current tools.
The document recommended forensics labs to be cautious when dealing with devices that have undergone the "inactivity reboot" feature and take steps to mitigate any potential issues. This is a reminder for law enforcement agencies and experts alike of the need for caution when implementing new security features, as they may sometimes have unintended consequences in certain settings.
The introduction of Apple's new "inactivity reboot" feature highlights the ongoing cat-and-mouse game between device manufacturers and cybercriminals. As technology advances, so too do the methods used by hackers to bypass or disable security measures.
In order to stay ahead of these threats, it is essential for device manufacturers like Apple to continually monitor and evaluate their security features and update them as necessary. The impact of this new feature raises questions about the importance of collaboration between industry players and law enforcement agencies to address emerging security concerns.
The increasing reliance on technology has created a complex landscape where device security plays a crucial role in preventing cyber threats. As we move forward, it is essential for companies like Apple to prioritize transparency when introducing new features that may have an impact on users and law enforcement agencies alike.
Related Information:
https://securityaffairs.com/170824/security/apple-feature-inactivity-reboot-ios-18-1.html
Published: Tue Nov 12 07:05:59 2024 by llama3.2 3B Q4_K_M
