Classen et al.
When you turn off your iPhone, it doesn’t completely shut down. The chips inside the device continue to run in low power mode so that a lost or stolen device can be located using Find My or using a credit card and car key after it runs out. the battery. Now, researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when the iPhone appears to be powered off.
It turns out that the iPhone’s Bluetooth chip — key to making features like Find Me work — doesn’t have a mechanism to digitally sign or even encrypt the firmware it runs on. Academics at Germany’s Technical University of Darmstadt have found a way to exploit this lack of difficulty to run malware that allows attackers to track a phone’s location or run new features when the device is turned off .
This video provides a high overview of several ways an attack can work.
[Paper Teaser] The Devil Never Sleeps: When wireless malware stays on after turning off iPhone.
This is the first study — or at least among the first — to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode to conserve battery life, the low-power mode (LPM) in this study allows the chips responsible for near-field communication, ultra-wideband, and Bluetooth to run at a low frequency. special mode that can remain on for 24 hours after turning off the device.
“The current implementation of LPM on Apple’s iPhone is opaque and adds new threats,” the researchers wrote in paper published last week. “Since the iPhone’s hardware-based LPM support, it cannot be removed with system updates. As such, it has a lasting effect on the overall security model of iOS. To the best of our knowledge, we were the first to look at the undocumented LPM features introduced in iOS 15 and discovered various issues. ”
They added: “The design of LPM features seems to be primarily driven by functionality, without considering threats outside of the intended applications. Power off Find My turns iPhone into a tracker by design, and implementation in the Bluetooth firmware is not guaranteed against manipulation. “
The findings have limited real-world value as the infection requires a jailbroken iPhone, which in itself is a daunting task, especially in the adversary context. However, targeting the always-on feature in iOS can prove useful in the following scenarios where malware exploits such as Pegasus, Israel-based NSO Corporation’s sophisticated smartphone miner, is routinely used by governments worldwide to spy on enemies. It is also possible to infect a virus in the event that a hacker discovers vulnerable security holes over the network similar to this already works with Android devices.
Besides allowing malware to run while iPhone is turned off, exploits targeting LPM can also allow malware to operate with much more stealth because LPM allows firmware to save the battery. And of course, a firmware infection has been extremely difficult to detect since it takes expertise and expensive equipment to do it.
The researchers said Apple engineers reviewed their paper before it was published, but company representatives have never provided any feedback on its content. An Apple representative did not respond to an email seeking comment for this story.
Finally, Find My and other features enabled by LPM provide added security as they allow users to locate a lost or stolen device and lock or unlock car doors even when the battery is dead. . But research shows a double-edged sword that has so far gone largely unnoticed.
“Hardware and software attacks, similar to those described, have proven to be real in a real-world context, so the topics covered in this paper are timely. and practical,” said John Loucaides, senior vice president of strategy at software security firm Eclypsium. “This is typical for every device. Manufacturers are always adding features, and with each new feature comes a new attack surface.”
