iOS 18+ Rebooting To BFU Is Not A "Bug"

Screenshot from Magnet Employee (Graykey)

9 Likes

Awesome feature from Apple.

11 Likes

Matthew Green posted about this, too:

Seems the timer is ~4 days.

3 Likes

The earlier speculation of it being a kernel panic bug also seems to be correct for earlier versions of iOS (https://xcancel.com/0xA43/status/1854907213426389185#m)

Interesting to see iOS taking some early implementations of features of GOS. Happy to see security baseline increasing across the board :slight_smile:

4 Likes

Yes, but 3 days? Why??? You could deliver the phone from the north pole to the south pole in such amount of time.

1 Like

I dunno, ask Tim Apple :slight_smile:

A good step still. “Let not perfect be the enemy of great” and all.

2 Likes

So it doesn’t restart during normal use. Apple puts usability above all else, while a project like Graphene OS is willing to sacrifice some convenience for security.

4 Likes

The auto reboot on GrapheneOS is 18 hours, the reason is to make sure that the phone doesn’t reboot overnight or when a user doesn’t want it. I think it’s quite rare for people to not unlock their phone for 18 hours straight, but even then you can easily adjust the timer in the settings.

Three days is just approaching the territory of useless, LE can definitely ship the phone to Cellebrite or get their equipment in less than 3 days.

1 Like

GrapheneOS timer used to be 3 days. Following their philosophy of having safe defaults, I don’t think it was useless. It has only gotten harder to exploit phones since then afaik. Exploiting the phone also takes time, regardless of the transportation time.

1 Like

Three days is just approaching the territory of useless, LE can definitely ship the phone to Cellebrite or get their equipment in less than 3 days.

But as I see it, cracking it would take more than 3 days, so it will reboot before it can be cracked.

Well they wanna restart it before they have a chance to find an AFU exploit. They can keep these phones plugged in disconnected from any network for a long time until Cellebrite finds some exploit for AFU. This way they’re essentially forced to brute force the password, assuming Apple is actively fixing issues that could be exploited by these tools and the owner of the phone keeps it reasonably up to date.

Yeah, I didn’t say it does. I meant like if someone doesn’t unlock their phone for like a day, which is pretty common, they might not want it to restart.

If I am reading the posts correctly, leaving the phone plugged in and blocked from network access won’t work: The time out is based on the last time the phone was unlocked.

Yes according to what people are saying from looking at the code:

From what we know at this time, you are correct, and the feature depends solely on time since the last unlock. This is the most logical approach to auto-rebooting a device to return to the BFU (before first-unlock) state, and is how GrapheneOS implements the same feature.

Leaving the phone plugged in and blocked from the network would have been the traditional approach. This is both to keep the device in the AFU (after first-unlock) state until extraction is possible and to prevent remote data deletion. Automatically rebooting the device back to BFU increases the effective security by a lot since it is inevitable that a vulnerability will eventually be found for a device running unpatched software in the AFU state.

I wonder if it requires Bluetooth on all the time since Privacy Guides recommend turning it off.

Why would that be the case?

This feature seems to make an iPhone running iOS 18+ in AFU mode to reboot after a certain time period since it was last unlocked (apparently 3 to 4 days).

This shouldn’t be influenced by Bluetooth.

1 Like

Just read something that iPhones can communicate with other apple devices to perform a reboot even without cellular connection.

Haven’t noticed it’s just a feature that automatically reboots after inactivity.

1 Like

It appears prior to iOS 18 this was just a memory maintenance reboot due to high memory usage, but now there is an actual inactivity timer reboot which I suspect is for anti-theft measures.

1 Like

https://xcancel.com/naehrdine/status/1856802400897503487
It appears to be 3 days

3 Likes