How StellarOS handles AFU- and BFU mode

A phone can have two modes: Before-First-Unlock mode and After-First-Unlock mode.

When the phone is not in your hand, the best mode a phone can be in, is in the Before-First Unlock mode. In this state, the device’s data is highly encrypted, and most of it is inaccessible, even to the operating system. 

What is Before-First-Unlock (BFU) and After-First-Unlock (AFU)?

Before First Unlock (BFU) refers to the state of a device, particularly smartphones, before the user has unlocked it for the first time after a restart. In this state, the device’s data is highly encrypted, and most of it is inaccessible, even to the operating system. This is because the encryption keys needed to decrypt the data are not available until the user enters their passcode or uses biometric authentication.

After First Unlock (AFU) refers to the state of the device after it has been unlocked at least once following a restart. In this state, some encryption keys remain in memory, allowing easier access to certain data without requiring the user’s credentials again. While the device is still secure, more data is accessible in AFU mode compared to BFU mode, making AFU a more vulnerable state in terms of potential forensic analysis or unauthorized access.

With these descriptions, it is now clear why the phone should be in BFU-mode when your phone is not in your hands. When the phone is in BFU-mode, the phone is way more secure, than when the phone is in AFU-mode.

How StellarOS makes sure your phone goes to BFU-mode

In our operating system, StellarOS we have added multiple protections that will set your phone into BFU-mode; those protections run in the background, without the user notifying it. This also makes the user-experience seamless. Those protections only run when the phone is in AFU-mode.

We call this Reboot-Emergency:

• When the phone hasn’t been unlocked for x-time (default 4 hours), the phone will restart on its own.
  
  
• If the phone gets dropped to the ground or shaken hard a internal timer will start, that after 1 hour of the event occured will restart the phone and set it into BFU-mode, unless the phone gets unlocked. (phone gets locked with your password as-well in this case).
  
  
• If the phone gets set into Flight-mode or loses all signals to Wi-Fi / cellular connection the phone will restart after 1 hour and be set into BFU-mode.
  
  
• If the user writes their login password wrong the phone will restart after 1 hour and be set into BFU-mode.
  
  
• StellarOS will on every 3rd failed login-attempt restart the phone (this delays brute-force attacks, but also makes sure the phone is being set into BFU-mode).
  
  
• If a USB-connection is being doing the phone will restart after 1 hour and be set into BFU-mode. (Notice: this only runs, if the user has not enabled the delete phone if USB-connection is detected).

There are more security mechanisms into the OS, which we will discuss later. But, as you can see, StellarOS has a lot of different mechanisms to be sure that your phone is in BFU-state, when it is not in your hand.

Most operating-systems only have “auto-reboot after x-time”, but the auto-rebooting itself is not enough to make sure that the phone becomes BFU-state before an attacker exploits the data. This is why we have added more helpers for this.

Notice: the internal timers will only run, if the phone is in AFU-state. When the phone gets unlocked, all timers will be cleared, this prevents the phone from suddenly restarting for no reason.

We’re always working on new mechanisms to the Reboot-Emergency that make sure the phone gets into the BFU-mode without you having the device in your hand.

For any questions contact us here: https://stellarsecurity.com/contact-us

–