What would you do if you discovered malware on your iPhone?
Your first instinct might be to turn the darn thing off to stop malicious snooping. Unfortunately, even that might not be enough.
A new type of malware conceived by researchers at the Technical University of Darmstadt would be able to run even when your phoneās power is off. And no, Iām not talking about an NSA-style fake power-off screen.
āBaloney!ā you shout. How can malware run without electricity? The simple answer is that these days, devices are rarely fully āoff.ā
The research is summarized in the 1-minute video below:
The exploit leverages the iPhoneās Low Power Mode, which is compatible with every iPhone since 2018, starting with the iPhone Xr and Xs. This mode allows the NFC, Ultra-Wideband, and Bluetooth chips to sip a little power when the rest of the phone is off.
Since iOS 15, these chips can run indefinitely, allowing your phone to be localizable via Find My, as well as enabling features like Express Cards and Car Key to remain operational.
Thatās obviously really useful if you ever lose your phone, but it opens the potential for a new kind of malware that can run until your battery is absolutely, 100% depleted.
The Bluetooth chip has its own firmware that can run separately from the main processor. This firmware is at the heart of the study; according to the researchers, it is completely unsigned, has āno protection against modification,ā and āattackers could run Bluetooth malware even after shutdown.ā
The Bluetooth and UWB chips are hardwired to the Secure Element in Appleās NFC chip, which stores information for Apple Pay, Car Keys, and Express Cards. That essentially means the information stored in the Secure Element can be made accessible by attacking the Bluetooth chipās firmware.
Worse, āsince LPM support is implemented in hardware, it cannot be removedā by system updates. And firmware-level exploits leveraging low power modes could be extremely difficult to detect; malware can sometimes be identified simply because it causes more battery drain.
Before you go and trade your iPhones for a flip phone, itās worth noting that the exploit detailed in the paper requires a jailbroken iPhone, significantly decreasing the chances regular users will be affected by this exploit. The researchers also shared their findings with Apple, which will likely seek to address these concerns on future devices.
Still, it goes to show that with every convenient new feature, thereās a new opportunity for bad guys to exploit. It is not inconceivable for hackers to find ways to jailbreak iPhones remotely, as happened with Pegasus. For every exploit made public early, there are others we donāt find out about until itās too late.
The researchers acknowledge that LPM applications are meant to increase security and safety for most users, but say āApple should add a hardware-based switch to disconnect the battery. Such a change āwould improve the situation for privacy-concerned users and surveillance targets like journalists.ā
Via Ars Technica
Get the TNW newsletter
Get the most important tech news in your inbox each week.