malware

iPhone Can Execute Malware Even While Turned Off

Can an iPhone user fully trust their phone even when it's off?

Researchers from the Technical University (TU) of Darmstadt’s Secure Mobile Networking Lab examined the low-power mode (LPM) implementation on iPhones and discovered that it could allow attackers to operate malware even on switched-off iPhones.

LPM features, which were introduced with iOS 15 last year, are activated when the user turns off the device or when the iPhone shuts down due to low battery. This is because the Bluetooth chip, among others, remains on after a user has powered it down, due in part to Apple’s “Find My” location tracking function.

Not every part of your iPhone shuts down when you hit the power button: Wireless chips remain on. Certain services need to know your phone’s location even when it’s off, and Apple’s “Find My” service is the reason why malware can be triggered on these devices at all times.

This ensures that some other functions, such as payment apps, digital car keys, and travel cards are still available even after the device’s battery runs out.

On recent iPhone models, three chips stay on — Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB).

They demonstrate in their paper a practical example of what this all means: Malware can be loaded onto a Bluetooth chip within an iPhone and then executed, later, while the iPhone is off.

“As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model,” the research states.

“Previous work only considered that journalists are not safe against espionage when enabling airplane mode in case their smartphones were compromised.”

Part of the issue, according to this research, is that the Bluetooth firmware is neither signed nor encrypted, and the UWB chip firmware is signed but not encrypted.

However, as pointed out in the paper, an attacker would have to first hack and jailbreak the iPhone (which is surely a challenging task) in order to gain access to the Bluetooth chip and exploit it.

The researchers offered a potential fix, saying Apple could change the LPM application thread — but also mentioned that Apple didn’t have feedback when they brought up their concerns. The functionality would have to be changed on a hardware level rather than a systems update, so it seems unlikely that the issue will be addressed in the near future.

Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

The researchers will report their findings at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week in San Antonio.