When you turn off one Iphone, it does not completely power off. The chips inside the device continue to run in low power consumption mode so that lost or stolen devices can be located using Find my feature or use a credit card and car key after the battery runs out. Now researchers have devised a way to abuse this always-on mechanism to run malware works even when the iPhone appears to be powered off.
It turns out that the iPhone’s Bluetooth chip — key to making features like Find Me work — doesn’t have a mechanism to digitally sign or even encrypt the firmware it runs on. Academics at Germany’s Technical University of Darmstadt have found a way to exploit this lack of difficulty to run malware that allows attackers to track a phone’s location or run new features when the device is turned off .
This video provides a high overview of several ways an attack can work.
Contents
This content can also be viewed on the website derived from.
This study is the first — or at least among the first — to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode to conserve battery life, the low-power mode (LPM) in this study allows the chips responsible for near-field communication, ultra-wideband, and Bluetooth to run at a low frequency. special mode that can remain on for 24 hours after turning off the device.
“The current implementation of LPM on Apple’s iPhones is ambiguous and adds new threats,” the researchers wrote. paper published last week. “Since the iPhone’s hardware-based LPM support, it cannot be removed with system updates. As such, it has a lasting effect on the overall security model of iOS. To the best of our knowledge, we were the first to look at the undocumented LPM features introduced in iOS 15 and discovered various issues. ”
They added: “The design of LPM features seems to be primarily driven by functionality, without considering threats outside of the intended applications. Power off Find My turns iPhone into a tracker by design, and implementation in the Bluetooth firmware is not guaranteed against manipulation. ”
Findings of real-world value are limited, as the infection requires jailbreaking the iPhone first, which in itself is a daunting task, especially in the adversary context. However, targeting the always-on feature in iOS can prove useful in the following scenarios where malware exploits such as PegasusIsrael-based NSO Corporation’s sophisticated smartphone miner, which governments around the world often use to spy on enemies.
