NoReboot Attack Creates Illusion of iPhone Shutdown
Security researchers have discovered a new attack that allows iOS malware to remain active on an infected device by simulating the shutdown process. As a result, it becomes impossible to tell whether an iPhone is actually turned off, giving malicious software the opportunity to spy on the victim.
How the NoReboot Attack Works
The attack, named NoReboot, was detailed by cybersecurity experts at ZecOps. They found that itβs possible to lock the device and then mimic an iOS reboot, all while keeping the malwareβs access to the compromised system. This is especially significant because, due to recent changes in iOS, malware typically cannot survive a real reboot and loses persistence.
NoReboot operates by connecting to SpringBoard (the Apple iOS UI application, also known as the Home Screen) and Backboardd (the daemon behind SpringBoard) to detect and intercept the reboot command (for example, when the user presses the volume down and power buttons together). Instead of shutting down the operating system, NoReboot disables the SpringBoard UI.
This leaves the iPhone screen blank, creating the illusion that the device is powered off. However, the iPhone remains on the entire time. To further maintain the illusion, NoReboot disables features like 3D Touch feedback, camera LED indicators, vibration, and sound for any incoming calls or notifications, so the device appears completely inactive.
Proof of Concept and Limitations
The researchers also released a NoReboot proof of concept (PoC), which includes a fake boot screen to fully simulate an iOS reboot.
ZecOps engineers emphasize that the NoReboot method works with standard device restarts, but not with forced restarts, which occur at the hardware level rather than through software. βWe did not find an easy way to compromise a forced restart. This event is implemented at a much lower level,β the researchers wrote.
However, ZecOps warns that users should not feel completely safe even if they perform a forced restart. Since a forced restart requires the user to quickly press the volume up and down buttons several times and then hold the power button, an attacker could potentially detect this pattern, block it before completion, and then trigger the NoReboot attack instead.
Stay Informed
- Follow our other channels for more cybersecurity updates.