Automatically Switching 'AFU' To 'BFU' Allows Apple To Enhance iOS Security With 'Inactivity Reboot'

Apple lock

Apple is known not only for its high-quality products and premium price tags but also for a few other defining features.

Beyond its closed ecosystem and firm stance against third-party modifications, Apple is recognized for its distinctive approach to safeguarding user privacy. Now, with iOS 18.1, Apple has discreetly introduced a new piece of code aimed at further enhancing this privacy commitment.

It's reported that the added security feature causes iPhones to automatically reboot after a period of inactivity.

Dubbed the 'Inactivity Reboot,' it leverages on the fact that rebooting iPhones will clear whatever it has in memory.

And one particular thing that the automatically reboot is after, is the elimination of the encryption key iPhones traditionally store after they're powered on, unlocked, locked, and left idle.

At first, Apple declined to confirm or deny this, but upon thorough inspection by researchers, it's realized that Apple has tweaked the keybagd and the AppleSEPKeyStore kernel extension to make iPhones to behave that way.

AFU BFU
An iPhone in its AFU state (left), and its BFU state (right).

In more details, iPhones that have been unlocked, locked, and left idling, enter a state called the After First Unlock (AFU).

AFU refers to when somebody, presumably the phone’s owner, has unlocked the device at least once since being powered on.

On iOS devices, where all data is encrypted with a key generated during the initial installation or setup of the operating system, the AFU state stores encryption keys into memory, so if a file needs to be accessed, the iPhone can automatically decrypt it using these encryption keys.

Because the encryption keys are stored inside the memory for convenient purposes, iPhones are more prone to being hacked if they physically fall to the wrong hands.

What Inactivity Reboot does, is to automatically reboot iPhones, in order to put them into a state known as Before First Unlock (BFU), where information is encrypted and Face ID disabled until a user enters a passcode.

At this state, iOS puts iPhones into an "at rest" state, where they no longer store encryption keys in the memory.

What this means, hacking attempts should be a lot more difficult.

Without the decryption keys available, iPhones should be much less resistant to being breached.

The code Apple tweaked, makes Inactivity Reboot to be triggered if an iPhone is left idle for four days.

Long story short, Inactivity Reboot is effectively an inactivity timer, which will make iPhones in an AFU state to reboot to a BFU state.

The differences between AFU and BFU is mostly about the data that can be extracted.

When a device is in the AFU lock state, a proficient person who has their hands on an iPhone, can initiate what's called an AFU extraction.

An AFU extraction can extract a vast majority of all user-generated data, which can contain chats, images, videos, web-browsing data, and much more.

AFU extraction
An example of a AFU extraction.

While the amount of information that can be retrieved from an iPhone in an AFU lock state will not be complete, some said that they can see as much as 95% of a full filesystem extraction.

In other words, the amount of information that can be retrieved can be substantial.

Compared to a full filesystem extraction, an AFU extraction doesn't contain Apple Mail, Apple Health, or significant location information.

But when an iPhone is at a BFU state, data extraction attempt should use a BFU extraction instead.

While data can still be extracted, the kind of data is a lot more limited, as the information contained within a BFU extraction mainly includes system data.

Other type of data is limited to either application data, cached images and videos, all of which are not user-generated.

The first who discovered this, was the authorities.

BFU extraction
An example of a BFU extraction.

The police knows about the existence of these two states, and this is why seized iPhones are kept in their AFU state and not in their BFU state because the difference between their extractions is quite large.

But all of a sudden, reports suggest that law enforcement officials were confused that iPhones which had been stored for examination were mysteriously restarting themselves. At the time, the cause was unclear, with the officials only able to speculate whether it was caused by a bug.

Before realizing what happened, this "bug" made it harder for their forensic tools to crack confiscated iPhones.

The authorities also hypothesized that Apple might have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time.

"The purpose of this notice is to spread awareness of a situation involving iPhones, which is causing iPhone devices to reboot in a short amount of time (observations are possibly within 24 hours) when removed from a cellular network," the document reads at the time.

While the feature is 'just' a timer, the little tweak does add an extra layer of security to iOS-powered devices, should they get lost of stolen.

Published: 
13/11/2024