The iOS 18 Feature That’s Frustrating Law Enforcement

Apple’s latest iOS 18 update has quietly introduced a groundbreaking security feature designed to enhance data protection. The feature, uncovered by security researchers, triggers an automatic reboot for iPhones left locked and unused for three days, plunging them into the highly secure "Before First Unlock" (BFU) state.

This addition aims to make unauthorized access significantly more challenging, whether by criminals or forensic analysts. Here's a detailed look at how this feature works and its implications.Photo via MacRumors // Apple's latest iOS 18 update causes iPhones to restart automatically after 3 days of inactivity.

What Is the 'Before First Unlock' State?

When an iPhone reboots, it enters the Before First Unlock (BFU) state. In this mode, encryption keys remain locked within the device's Secure Enclave Processor (SEP), significantly restricting access to stored data. According to research from Dakota State University’s digital forensics lab, the BFU state prevents extraction of most user data, adding a robust layer of security.

Once a user enters their passcode, the phone transitions to the After First Unlock (AFU) state, where encryption keys are loaded into memory, making the device more vulnerable to forensic tools. The new iOS feature minimizes the AFU state’s window of opportunity by ensuring devices reboot after prolonged inactivity.

The Technical Details Behind the Reboot

Security researcher Jiska Classen from the Hasso Plattner Institute shared a deep dive into the feature.

Classen found references to an "inactivity_reboot" mechanism in iOS 18.1 and 18.2 beta versions by analyzing code strings and reverse-engineering Apple’s Secure Enclave and kernel modules. Despite speculation, Classen confirmed that the reboots are entirely self-contained within the device and are not influenced by wireless connectivity or external commands.

How It Works:

• The Secure Enclave monitors the time since the last device unlock.
• If the phone has remained locked for 72 hours, the system initiates a reboot.
• The SpringBoard (iOS's home screen manager) ensures this process doesn’t result in data loss.

“Security-wise, this is a very powerful mitigation. An attacker must have kernel code execution to prevent an inactivity reboot,” Classen explained in her post.

Implications for Law Enforcement and Criminals

The automatic reboot poses unique challenges for both forensic analysts and criminals:

• Forensic Limitations: Tools like Cellebrite, commonly used by law enforcement, can extract only limited data in the BFU state. This includes basic system files and low-value user data, such as SMS thumbnails stored in .KTX files.

Photo via Cellebrite // Cellebrite, a company that develops 'iPhone hacking' devices, is impacted by this update.

• Criminal Impact: The reboot feature effectively locks out criminals from accessing sensitive user data, including banking and personal accounts.

Classen noted: “While law enforcement is under more time pressure, it likely completely locks out criminals from accessing your data.”

User Impact: Minimal Annoyance, Maximum Protection

For everyday users, the feature is unlikely to cause disruptions. Unless you leave your iPhone untouched for three days — a rarity for most people — the device will function as usual. In the rare event of an automatic reboot, users simply need to re-enter their passcode.

However, the feature highlights Apple’s continued commitment to user privacy and its ongoing resistance to government pressure for encryption backdoors.Photo via BGR // Law enforcement agencies around the world have been frustrated in recent years by Apple's privacy-focused stance when it comes to unlocking iPhones and making it easy for law enforcement to access the files of Apple devices.

A History of Security Innovation

Apple has long been at odds with law enforcement over its security measures. By steadily increasing encryption and security protocols, the company has drawn criticism for hindering investigations. Despite pressure, Apple has maintained its stance against creating backdoors, a move that has bolstered consumer trust while frustrating authorities.

What’s Next for iOS Security?

As mobile security continues to evolve, this "inactivity reboot" feature could set a new standard across the industry. With Android devices already adopting similar BFU protocols, Apple’s latest innovation may encourage competitors to implement comparable measures.

This development underscores the delicate balance between privacy and accessibility, where Apple once again sides firmly with the user.

For the latest updates on iOS 18 and mobile security, stay tuned to Apple Scoop.

Recommended by the editors:

• More From Apple Scoop — America's Favorite Source For Apple News, Rumors & More

Luke Everett

Lead Technology Journalist

Luke Everett is Apple Scoop’s Lead Technology Journalist with 7 years of experience reporting on Apple hardware, software, and breaking news. Known for his investigative insights and in-depth analysis, Luke covers everything from major Apple keynotes to the latest rumors in the industry, helping readers stay ahead of the curve.

Luke's journalism More about iOS 18