Cybersecurity researchers have discovered a way to run malware on Apple iPhones even when the device is turned off.
A report published by the Technical University of Darmstadt in Germany details an exploit that takes advantage of the iPhone’s Low Power Mode (LPM) to track location and perform various malware attacks.
LPM enables certain smartphone features – such as Bluetooth, Near Field Communication (NFC) and/or Ultra Wideband – to work even when the device is turned off or when its battery is depleted.
When an iPhone is turned off, it’s never really turned off because these components can still work 24/7. The idea is that people will still be able to access their wallets and keys on the device, even when they run out of battery.
Functionality vs Security
The problem with such a system is that the Bluetooth chip cannot digitally sign or encrypt the firmware it runs, the report explains.
“The current implementation of LPM on Apple iPhones is opaque and adds new threats. Since LPM support is based on iPhone hardware, it cannot be removed with system updates. Thus, it has a lasting effect on the overall security model of iOS. To the best of our knowledge, we are the first to have reviewed undocumented LPM features introduced in iOS 15 and discovered various issues,” the researchers state.
“The design of LPM features appears to be primarily functionality-driven, disregarding threats external to the intended applications. Find My After Power Off turns turned off iPhones into tracking devices by design, and the implementation in Bluetooth firmware is not tamper proof.
Luckily, abusing the flaw is far from practical, as the attacker would first have to jailbreak the iPhone, which is a feat in and of itself.
But in the unlikely event of a successful attack, the intruder would be able to operate more stealthily, as compromised firmware is nearly impossible to detect.
Apple has been notified of the results, the researchers said, but has not yet responded to the disclosure. Tech Radar Pro also asked the company for comment.
Via Ars Technica