Classen et al.
When you turn off an iPhone, it doesn’t turn off completely. The chips inside the device continue to operate in low-power mode, allowing lost or stolen devices to be located using Find My or using credit cards and car keys afterwards. battery drain. Researchers have now found a way to abuse this permanent mechanism to execute malware that remains active even when an iPhone appears to be turned off.
It turns out that the iPhone’s Bluetooth chip – which is essential for running features like Find My work – has no mechanism to digitally sign or even encrypt the firmware it’s running. Academics from the German Technical University of Darmstadt have discovered how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the location of the phone or run new features when the device is turned off.
This video provides insight into some of the ways an attack can work.
[Paper Teaser] Evil never sleeps: When wireless malware stays on after turning off iPhones
The research is the first – or at least among the first – to investigate the risk posed by chips operating in low-power mode. Not to be confused with iOS’s Low Power Mode to save battery life, Low Power Mode (LPM) in this research allows the chips responsible for Near Field Communication, Ultra Wideband, and Bluetooth to operate in a special mode that can stay on for 24 hours after a device is turned off.
“The current implementation of LPM on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Because LPM support is based on iPhone hardware, it cannot be removed with system updates. Thus, it has a lasting effect on the overall security model of iOS To our knowledge, we are the first to have looked at the undocumented LPM features introduced in iOS 15 and discovered various issues.
They added, “The design of LPM features appears to be primarily functionality-driven, disregarding threats external to the intended applications. Find My After Power Off turns turned off iPhones into tracking devices by design, and the implementation in Bluetooth firmware is not tamper proof.
The results are of limited real value since the infections required a jailbroken iPhone, which in itself is a difficult task, especially in an adversarial context. Still, targeting the always-on functionality of iOS could prove useful in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments around the world whole regularly use to spy on their opponents. It may also be possible to infect chips in case hackers discover live exploitable security flaws like this one that worked against Android devices.
In addition to allowing malware to run when the iPhone is turned off, exploits targeting LPM could also allow malware to run much more discreetly, as LPM allows firmware to save battery power. . And of course, firmware infections are already extremely difficult to detect because they require significant expertise and expensive equipment.
The researchers said Apple engineers reviewed their paper before publication, but company representatives never provided comment on its content. Apple representatives did not respond to an email seeking comment on this story.
Ultimately, Find My and other LPM-enabled features help provide additional security as they allow users to locate lost or stolen devices and lock or unlock car doors even when batteries are depleted. But research reveals a double-edged sword that has so far gone largely unnoticed.
“Hardware and software attacks similar to those described have proven practical in a real-world environment, so the topics discussed in this document are timely and practical,” John Loucaides, senior vice president of strategy at the security company Eclypsium firmware. “This is typical for every device. Manufacturers are constantly adding features and with each new feature comes a new attack surface.”
