HN Reader

>In the After First Unlock (AFU) state, user data is decrypted

Note that this is a slight simplification because, I assume, the reality is irrelevant to understanding the topic:

There are a few different keys [0] that can be chosen at this level of the encryption pipeline. The default one makes data available after first unlock, as described. But, as the developer, you can choose a key that, for example, makes your app's data unavailable any time the device is locked. Apple uses that one for the user's health data, and maybe other extra-sensitive stuff.

[0]: https://support.apple.com/guide/security/data-protection-cla...

To me the biggest takeaway is that Apple is sufficiently paranoid to add this feature. Some people (like John Gruber) advocate for activating bio lockout at the border by squeezing the volume and power buttons. I would say if you’re the type of person who would do this, you should go one step further and power off.

Similarly, if you’re in a situation where you cannot guarantee your phone’s security because it’s leaving your possession, and you’re sufficiently worried, again, power off fully.

I had to look up what SRD meant. It's a Security Research Device - "a specially fused iPhone that allows you to perform iOS security research without having to bypass its security features."

https://security.apple.com/research-device/

Two questions:

1. surely unconditionally rebooting locked iPhones every 3 days would cause issues in certain legit use cases?

2. If I read the article correctly, it reboots to re-enter "Before First Unlock" state for security. Why can't it just go into this state without rebooting?

Bonus question: my Android phone would ask for my passcode (can't unlock with fingerprint or face) if it thinks it might be left unattended (a few hours without moving etc.), just like after rebooting. Is it different from "Before First Unlock" state? (I understand Android's "Before First Unlock" state could be fundamentally different from iPhone's to begin with).

Great writeup, but I wonder why so much emphasis is put on not 'connected to network' part. It seems like a timed inactivity reboot is a simpler idea than any type of inter-device communication schemes. It's not new either; Grapheneos had this for a while now and the default is 18 hours (and you can set it to 10 minutes) which would be a lot more effective as a countermeasure against data exfiltration tools.

Great writeup! And it's good to see Apple pushing the envelope on device security.

> In law enforcement scenarios, a lot of the forensically relevant data is available in the AFU state. Law enforcement takes advantage of this and often keeps seized iPhones powered on, but isolated from the Internet, until they can extract data.

In Slovenia, devices have to be turned off the moment they are seized by their owner, prior to putting them into airplane mode.

Does anyone have insight into why Apple encrypts SEP firmware? Clearly it’s not critical to their security model so maybe just for IP protection?

I suspected this was being managed in the Secure Enclave.

That means it's going to be extremely difficult to disable this even if iOS is fully compromised.

Nice work, and appreciate the time you spent!

“I also downloaded an older kernel where Apple accidentally included symbols and manually diffed these versions with a focus on the code related to inactivity reboot. The kernel has three strings relating to the feature:” sounds like a little luck there for sure !

If this is such a security benefit why not do it after 24 hours instead? How many people go that long without using their phones?

How many people are using their phones for some other purpose for which they want their phones to never reboot? And what are they actually doing with their phones?

Great post. They talked about the possibility of iOS 18 wirelessly telling other phones to reboot, but then afaik didn’t address that again. Maybe they did and I missed it?

My question is: why three days specifically instead of a user-configurable delay?

This may explain why since iOS18 my device randomly reboots (albeit only takes max 5 seconds). I am a daily user so perhaps the reboot I experience is a bug.

If I were looking for low hanging fruit, I suspect it wouldn’t reboot if you were to replicate the user’s home WiFi environment in the faraday cage, sans internet connection of course. Or repeatedly initializing the camera from the lock screen.

thank you for such a great writeup, this is an excellent breakdown!

More security theatre.

I haven't read the whole thing, but from skimming the beginning. This is pretty similar how AOSP's BFU vs AFU unlock works.

How do these things work with devices inside a NAT gateway? Most of our devices are inside a LAN. Even if a server gets started, it won't be visible to the outside world, unless we play with the modem settings.

Now, a hacker/state who has penetrated a device can do an upload of data from the local decice to a CNC server.

But that seems risky as you need to do it again and again. Or do they just get into your device once and upload everything to CNC?