Classes et al.
When you turn off an iPhone, it doesn’t turn off completely. Chips in the device continue to operate in a low-power mode that makes it possible to locate lost or stolen devices using the Find My function or to use credit cards and car keys after the battery is depleted. Now, researchers have devised a way to exploit this always-on mechanism to run malware that remains active even when an iPhone appears to be turned off.
It turns out that the iPhone’s Bluetooth chip — which is key to making features like Find My Work — has no mechanism for digitally signing or even encrypting the firmware running on it. Scientists at the German Technical University of Darmstadt have discovered how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or perform new functions when the device is turned off.
This video gives a good overview of some of the ways an attack can work.
[Paper Teaser] Evil Never Sleeps: When wireless malware stays on after iPhones are turned off.
The study is the first – or at least one of the first – to examine the risk of chips running in a low-power mode. Not to be confused with iOS power saving mode to save battery. The power-saving mode (LPM) in this study causes chips responsible for near-field communications, ultra-wideband, and Bluetooth to operate in a special mode that can remain on for 24 hours after a device is turned off.
“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. So it has a long-lasting effect on the overall iOS security model. To our knowledge, we are the first to explore undocumented LPM features introduced in iOS 15 and discover several issues.”
They added: “The design of LPM features seems to be mostly driven by functionality, without considering threats outside of the targeted applications. Find My after power off turns shutdown iPhones by design into tracking devices, and the implementation within the Bluetooth firmware is not protected against tampering.”
The findings have limited real value, as infections required a jailbroken iPhone, which in itself is a difficult task, especially in a hostile environment. Still, targeting the always-on feature in iOS can come in handy in post-exploit scenarios by malware like Pegasus, the advanced smartphone exploit tool from Israel-based NSO Group, which governments around the world routinely use to spy on adversaries. . It may also be possible to infect the chips if hackers discover security flaws prone to over-the-air exploits, similar to those that worked against Android devices.
In addition to allowing malware to run while the iPhone is turned off, exploits targeting LPM can also make malware work much more stealthily, as LPM allows the firmware to conserve battery power. And of course, firmware infections are already extremely difficult to detect due to the considerable expertise and expensive equipment required to do so.
The researchers said Apple engineers reviewed their paper before it was published, but company representatives never gave feedback on its content. Apple representatives did not respond to an email requesting comment for this story.
Ultimately, Find My and other LPM features provide additional security by allowing users to locate lost or stolen devices and lock or unlock car doors even when the batteries are dead. But the research uncovers a double-edged sword that has gone largely unnoticed until now.
“Hardware and software attacks similar to the attacks described have proven practical in practice, so the topics covered in this document are current and practical,” said John Loucaides, senior vice president of strategy at the firmware security firm Eclypsium. “This is typical for any device. Manufacturers are constantly adding features and with every new feature comes a new attack surface.”
