When you turn around iPhone off, it doesn’t turn off completely. The chips in the device continue to operate in low-power mode, making it possible to find lost or stolen devices using the Find My feature or using credit cards and car keys after the battery has died. Now, researchers have come up with a way to abuse this always-on mechanism to launch malware that remains active even when the iPhone appears to be turned off.
It turns out that the iPhone’s Bluetooth chip – which is key to creating features like Find My work – has no mechanism to digitally sign or even encrypt the firmware it runs. Scientists at Germany’s Technical University of Darmstadt have figured out how to use this lack of protection to launch malicious firmware that allows an attacker to track a phone’s location or perform new functions when the device is turned off.
This video provides a detailed overview of some of the ways an attack might work.
The study is the first – or at least among the first – to examine the risk posed by chips operating in low-power mode. Not to be confused with iOS’s low-power mode to preserve battery life, the low-power mode (LPM) in this study allows the chips responsible for near-field communication, ultra-broadband, and Bluetooth to operate in a special mode , which can remain on for 24 hours after the device is turned off.
“The current implementation of LPM on the Apple iPhone is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on iPhone hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall security model of iOS. To our knowledge, we are the first to look at undocumented LPM features introduced in iOS 15 and have uncovered various issues.”
They added: “The design of LPM features appears to be driven mostly by functionality without considering threats outside of intended applications. Find My after powering off turns turned off iPhones into tracking devices by design, and the implementation in the Bluetooth firmware is not tamper-proof.”
The findings have limited real-world value because infections require an iPhone to be jailbroken first, which is a difficult task in itself, especially in a competitive environment. Still, targeting the always-on feature in iOS could prove useful in post-exploit scenarios from malware like Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group that governments around the world routinely use to spy on adversaries .