iPhone Malware Can Operate Even When the Device Is Turned Off

By Ava McKinneyOnline Safety

iPhone Malware Can Operate Even When the Device Is Turned Off

Researchers from the Technical University of Darmstadt have developed malware for iPhones that can function even when the device is turned off. The discovery began when scientists were studying the implementation of low-power mode (LPM) on iPhones and found that it poses significant security risks, potentially allowing attackers to run malicious software on powered-down devices. According to experts, these risks should not be ignored, especially for journalists, activists, and others who may be targeted by well-funded adversaries.

How Does the Threat Work?

Analysis revealed that on iPhones running iOS 15, wireless communication systems such as Bluetooth, NFC, and Ultra-wideband (UWB) remain active even after the device is turned off.

“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip and store secrets that must be accessible in LPM. Since LPM support is implemented at the hardware level, it cannot be disabled by changing software components. As a result, on modern iPhones, you can no longer trust that wireless chips are truly disabled after shutdown,” the research group’s report states.

Testing and Security Implications

After reaching this conclusion, the researchers tested apps that use LPM (such as Find My) and assessed their impact on hardware and firmware security. Since the attack described in the report is still a concept, the experts assumed that an attacker already has privileged access to the firmware, can send special commands, modify the firmware image, or execute code remotely. They found that if the firmware is compromised, an attacker can maintain a certain level of control over the victim’s device even after it is turned off, which could be very useful for persistent exploits.

Regarding hardware, the researchers assumed that attackers cannot compromise the hardware directly. Instead, they focused on determining which components could be activated without the user’s knowledge and which apps could be exploited.

Firmware Vulnerabilities

The report details how the Bluetooth LPM firmware can be modified to run malware on an iPhone 13, even if the device is turned off. The researchers explain that this attack is possible because the firmware is neither signed nor encrypted, and secure boot is not enabled for the Bluetooth chip.

“The design of LPM features is clearly driven by functionality, without considering risks beyond the intended applications. Find My turns powered-off iPhones into tracking devices, and the Bluetooth firmware implementation is not protected against tampering. Additionally, supporting modern car keys requires UWB in LPM. Bluetooth and UWB are now hardwired to the SE and are used to store car keys and other secrets. Since the Bluetooth firmware can be manipulated, SE interfaces become accessible to iOS. However, the SE is specifically designed to protect secrets, assuming iOS and its apps could be compromised,” the researchers write.

Recommendations and Tools

The experts believe Apple should add a hardware switch to disconnect the battery, which would improve the situation. The research group has also released open-source tools, InternalBlue and Frankenstein, which can be used to analyze and modify firmware.

The researchers stated that they have reported their findings to Apple engineers but have not yet received any comments from the company.

Leave a Reply