Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops - eviltoast

Apple quietly introduced code into iOS 18.1 which reboots the device if it has not been unlocked for a period of time, reverting it to a state which improves the security of iPhones overall and is making it harder for police to break into the devices, according to multiple iPhone security experts.

On Thursday, 404 Media reported that law enforcement officials were freaking out that iPhones which had been stored for examination were mysteriously rebooting themselves. At the time the cause was unclear, with the officials only able to speculate why they were being locked out of the devices. Now a day later, the potential reason why is coming into view.

“Apple indeed added a feature called ‘inactivity reboot’ in iOS 18.1.,” Dr.-Ing. Jiska Classen, a research group leader at the Hasso Plattner Institute, tweeted after 404 Media published on Thursday along with screenshots that they presented as the relevant pieces of code.

    • TaviRider@reddthat.com
      link
      fedilink
      English
      arrow-up
      74
      ·
      14 days ago

      When you first boot up a device, most data on that device is encrypted. This is the Before First Unlock (BFU) state. In order to access any of that data, someone must enter the passcode. The Secure Enclave uses it to recreate the decryption keys that allow the device to access that encrypted data. Biometrics like Face ID and Touch ID won’t work: they can’t be used to recreate the encryption keys.

      Once you unlock the device by entering the passcode the device generates the encryption keys and uses them to access the data. It keeps those keys in memory. If it didn’t, you’d have to enter your passcode over and over again in order to keep using your device. This is After First Unlock (AFU) state.

      When you’re in AFU state and you lock your device, it doesn’t throw away the encryption keys. It just doesn’t permit you to access your device. This is when you can use biometrics to unlock it.

      In some jurisdictions a judge can legally force someone to enter biometrics, but can’t force them give up their passcode. This legal distinction in the USA is that giving a passcode is “testimonial” because it requires giving over the contents of your mind, and forcing suspects to do that is not legal in the USA. Biometrics aren’t testimonial, and so someone can be forced to use them, similar to how arrested people are forced to give fingerprints.

      Of course, in practical terms this is a meaningless distinction because both biometrics and a passcode can grant access to nearly all data on a device. So one interesting thing about BFU vs AFU is that BFU makes this legal hair-splitting moot: biometrics don’t work in BFU state.

      But that’s not what the 404 Media articles are about. It’s more about the forensic tools that can sometimes extract data even from a locked device. A device in AFU state has lots of opportunities for attack compared to BFU. The encryption keys exist, some data is already decrypted in memory, the lightning port is active, it will connect to Wi-Fi networks, and so on. This constitutes a lot of attack surface that hackers could potentially exploit to pull data off the device. In BFU state, there’s very little data available and almost no attack surface. Automatically returning a device to BFU state improves resistance to hacking.

      • Excrubulent@slrpnk.net
        link
        fedilink
        English
        arrow-up
        14
        ·
        14 days ago

        Fun fact: in Australia we don’t have a bill of rights of any kind, so the cops can just force you to reveal your passwords. The maximum penalty for refusing is 2 years imprisonment.

          • Excrubulent@slrpnk.net
            link
            fedilink
            English
            arrow-up
            5
            ·
            14 days ago

            To the ASIO agent assigned to tracking my every online move:

            1. I didn’t see this comment.
            2. I don’t understand it.
            3. I would never do such a thing.
            4. I’m sorry this is what your life has been reduced to. Your patriotism is misplaced and you would be happier if you worked against the creeping surveillance state rather than for it. You know better than any of us how horrible it is, and you have the skills we need.
        • ferret@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          7
          ·
          14 days ago

          Honestly, as an american, I could live with watered down rights if it meant a more representative government

          • Excrubulent@slrpnk.net
            link
            fedilink
            English
            arrow-up
            4
            ·
            14 days ago

            Oh yeah, just don’t read about what happens to our prime ministers when they attempt to defy the empire. Totes democracy we got over here.

      • Mongostein@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        14 days ago

        Also, in the BFU state, iPhones at least, won’t allow any data connections through USB

        • TaviRider@reddthat.com
          link
          fedilink
          English
          arrow-up
          5
          ·
          14 days ago

          It’s more complicated than that. It’s called USB restricted mode. The lightning port is always willing to do a minimal subset of the protocols that it supports in order to do smart charging. By default most of the protocols it supports are disabled in BFU state. In AFU state it gets more complex than that. Accessories that you’ve previously connected can connect for one hour after the device is locked. This helps keep USB restricted mode from being really annoying if you briefly disconnect and reconnect an accessory.

          USB restricted mode can be disabled by a user option (Settings > [Touch / Face] ID & Passcode > Allow Access When Locked > Accessories) or by a configuration profile. Disabling it allows accessories to connect at any time, and generally lowers the security of your device. But in some cases that’s necessary, for instance when you use an accessibility accessory to use your device.

          If USB restricted mode is a concern for you, you should consider Lockdown Mode (Settings > Privacy & Security > Lockdown Mode). This changes several settings on your device to make it much more resilient to attack.

      • tupalos@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        12 days ago

        Great explanation. That was super insightful.

        So even with BFU, does the iPhone not connect to the internet? I guess i hadn’t noticed it doesn’t.

        Also are you still about to track via gps an iPhone that is in the off state? Just curious if there’s a lot of other vectors where the iPhone is still connected?

        • TaviRider@reddthat.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          12 days ago

          So even with BFU, does the iPhone not connect to the internet? I guess i hadn’t noticed it doesn’t.

          Well, it’s complicated. Most of these topics are. In BFU state, an iPhone (or iPad with cellular) with an active SIM and active data plan will connect to the Internet. It won’t connect to Wi-Fi at all. If you have USB restricted mode disabled and the right accessory connected it will connect to an Ethernet network, but that may fail if the network requires 802.1x and the credential is not available in BFU state. Similarly if USB restricted mode is disabled you can use tethering to a Mac to share its network.

          For location, there’s two mechanisms. One mechanism relies on directly communicating with the device, which only works if the device has network.

          The other mechanism is the “FindMy network” which uses a Bluetooth low energy (BTLE) beacon to let other nearby devices detect it, and they report that to FindMy. It’s a great technology. The way it uses rotating IDs preserves your privacy while still letting you locate your devices. I know that this works when a device is powered off but the battery is not completely dead. I’m not sure if it works in BFU state… my guess it that it does work. But this is not networking. It’s just a tiny Bluetooth signal broadcasting a rotating ID, so it’s one-way communication.

          Other than that, I’m not as sure how things work. I believe Bluetooth is disabled by default in BFU state, but I suspect users can choose to re-enable Bluetooth in BFU state to connect to accessibility accessories. I’m not sure about the new emergency satellite communication.

          But one thing I know for sure is that Apple has world class security engineers, and one area they work hard to secure is devices in BFU state.

          • tupalos@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 days ago

            Wow ya that’s a lot of stuff to have to keep track of. Those security engineers are something else. I thought software security was already complex but iPhones or any phones sounds like its even more so

    • nicerdicer@feddit.org
      link
      fedilink
      English
      arrow-up
      38
      ·
      14 days ago

      Once rebooted, you need to enter your PIN to unlock the phone (and the SIM as well). Before that it is not possible to unlock the phone with biometric credentials (face ID or fingerprint).

      As far as I’m aware, police can force you to hand over your biometric credentials (they can hold the phone to your face to unlock it when you have face ID enabled, or can move your finger to the fingerprint sensor). But they can’t force you to reveal the PIN number.

        • chiliedogg@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          14 days ago

          Yep: but they can’t force you to give them the password because of 5th Amendment protections from self-incrimination.

          And even if they did have the right to tell you to give them the password, they don’t have access if you simply refuse to cooperate. They can get your fingerprints, face ID, or retina scan by force. They cannot extract information from your brain.

          BTW: Lots if phones also have a “lockout mode” that can be enabled that will give you the option to lock it down to password-only without turning it off. It can be good for recording police interactions, because it will continue to record them while they can’t access the contents of the phone if they swipe it from you.

      • LifeInMultipleChoice@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        14 days ago

        Yeah but that would imply they are bringing the phones to the person multiple times to use their face/finger, or they are keeping the phone active so it never locks, unless they are actively changing the settings to never lock somehow. Seems like an easier fix to just require you to enter your pin to change your lock setting to indefinitely.

        Side note: the last time I was arrested the officer asked me if I wanted to reboot my phone or turn it off before handing it over so I knew they weren’t going to go through it. Was surprised

        • MindlessZ@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          14 days ago

          The more full reason is that the device is still encrypted prior to first unlock and is harder to extract any information from. As to what you said about police requiring you to enter your PIN, they can’t. You can’t be forced to reveal your passwords/PINs but they can legally force you to unlock biometrics (fingerprint/face ID)

          • LifeInMultipleChoice@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            14 days ago

            I never said they could require you to enter a pin, my words are often a jumble. I was saying cops actually asked me if I wanted to restart or shut down my phone so I had peace of mind that they wouldn’t go through it.

        • nicerdicer@feddit.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          14 days ago

          I don’t know how the procedere would be executed, but I imagine that police could have the phone present during an interrogation and try to nlock it there (possibly by making you to look at the phone to unlock it, if the phone has been set up to unlock this way). Once unlocked, it would be sufficient to have a peek into the camera roll or messages, until the phone locks again. I don’t know about the law, but I can imagine that if a police officer had a look into your phone, even briefly, it may be held against the one who is being interrogated.

      • EndlessNightmare@reddthat.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        14 days ago

        or can move your finger to the fingerprint sensor).

        Good luck guessing which finger and on which hand. You have 3 tries before a password is required.

    • Kairos@lemmy.today
      link
      fedilink
      English
      arrow-up
      5
      ·
      14 days ago

      As I understand it, even though after Reboot the OS looks like its in about the same state with the wallpaper and same password to unlock, the fact that it hasn’t been unlocked yet means that certain attacks don’t work as well. I don’t know why specifically. I think it’s because the attack may still work but doesn’t reveal any sensitive data because it’s just the ROM, wallpaper, sim, etc.

    • ouch@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      14 days ago

      Most likely after rebooting but before unlocking the decryption key is not present in memory in plaintext.