Cybersecurity researchers have discovered a way to run malware on Apple’s iPhones, even when the device is switched off.
A report published by the Technical University of Darmstadt in Germany details an exploit that takes advantage of the iPhone’s low-power mode (LPM) to track location and perform various malware attacks.
LPM allows certain smartphone facilities – such as Bluetooth, near-field communication (NFC) and or ultra-wideband – to run even when the device is turned off or when its battery is depleted.
When an iPhone is shut down, it’s never truly off, as these components can still run 24/7. The idea is that people will still be able to their on-device wallets and keys, even when they are out of battery.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Functionality vs. security
The problem with such a system is that the Bluetooth chip cannot digitally sign or encrypt the firmware it runs, the report explains.
“The current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues,” the researchers state.
“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”
Thankfully, abusing the flaw is far from practical, because the attacker would first need to jailbreak the iPhone, which is a feat in itself.
But in the unlikely case of a successful attack, the intruder would be able to operate more stealthily, as compromised firmware is almost impossible to detect.
Apple has been notified of the findings, the researchers have said, but has not yet responded to the disclosure. TechRadar Pro has also asked the company for comment.
Via Ars Technica