A recent report by 404 Media revealed that law enforcement agents have been concerned about iPhones automatically rebooting themselves, which makes it very difficult to hack these devices. Security researcher Jiska Classen later discovered that this behavior is caused by a new feature called “Inactivity Reboot,” which has now been reverse-engineered by Classen.

Reverse engineering iPhone’s Inactivity Reboot feature

The researcher detailed in a blog post how exactly Inactivity Reboot was implemented by Apple – which did everything quietly without publicly announcing the new security feature. Based on iOS code, it was possible to confirm that Inactivity Reboot was implemented in iOS 18.1, although iOS 18.2 beta code suggests that Apple is still making improvements to how it works.

Contrary to what was previously thought, the security feature has no relation to wireless connectivity. Instead, it uses the Secure Enclave Processor (SEP) to track when the iPhone was last unlocked. If the last time unlocked exceeds three days, SEP notifies a kernel that kills Springboard (which is the core of iOS) and initiates a reboot.

Unsurprisingly, according to Classen, Apple has implemented ways to prevent hackers from bypassing this process. For example, if something prevents the kernel from rebooting the iPhone, the system will automatically cause a kernel panic to crash and reboot the device. The system also sends analytical data to Apple when a device enters the “aks-inactivity” state.

Since everything related to Inactivity Reboot happens in SEP and not in the main iOS kernel, it’s much more challenging to bypass it – even if the main kernel is compromised (like with a jailbreak tool). As Classen explained, little is known about the SEP as Apple keeps everything, including its firmware, under wraps.

When rebooted, the iPhone enters a Before First Unlock (BFU) mode, which encrypts all the files on the device until the user enters the device’s passcode. Even Cellebrite, a cybersecurity company that specializes in extracting data from locked iPhones, acknowledges that getting data from a device in BFU mode is quite challenging.

Cellebrite can't unlock iPhones running iOS 17.4 and later | One of the company's devices
Cellebrite tool used to hack iPhones

Apple doesn’t say why it implemented Inactivity Reboot on the iPhone with iOS 18, but the reasons seem pretty clear. The company certainly wants to crack down on tools like Cellebrite and Pegasus spyware, which are often used by law enforcement agents. Of course, this also protects regular users who may have their data extracted after being the victim of a theft or robbery.

More details on reverse engineering the Inactivity Reboot feature can be found on Jiska Classen’s blog.

FTC: We use income earning auto affiliate links. More.