This article was published on May 17, 2022

Oh great: Researchers invent iPhone malware that works even if your phone is off

Apple's Bluetooth firmware has "no protection against modification"


Oh great: Researchers invent iPhone malware that works even if your phone is off

What would you do if you discovered malware on your iPhone?

Your first instinct might be to turn the darn thing off to stop malicious snooping. Unfortunately, even that might not be enough.

A new type of malware conceived by researchers at the Technical University of Darmstadt would be able to run even when your phone’s power is off. And no, I’m not talking about an NSA-style fake power-off screen.

“Baloney!” you shout. How can malware run without electricity? The simple answer is that these days, devices are rarely fully “off.”

The research is summarized in the 1-minute video below:

The exploit leverages the iPhone’s Low Power Mode, which is compatible with every iPhone since 2018, starting with the iPhone Xr and Xs. This mode allows the NFC, Ultra-Wideband, and Bluetooth chips to sip a little power when the rest of the phone is off.

Since iOS 15, these chips can run indefinitely, allowing your phone to be localizable via Find My, as well as enabling features like Express Cards and Car Key to remain operational.

That’s obviously really useful if you ever lose your phone, but it opens the potential for a new kind of malware that can run until your battery is absolutely, 100% depleted.

The Bluetooth chip has its own firmware that can run separately from the main processor. This firmware is at the heart of the study; according to the researchers, it is completely unsigned, has “no protection against modification,” and “attackers could run Bluetooth malware even after shutdown.”

The Bluetooth and UWB chips are hardwired to the Secure Element in Apple’s NFC chip, which stores information for Apple Pay, Car Keys, and Express Cards. That essentially means the information stored in the Secure Element can be made accessible by attacking the Bluetooth chip’s firmware.

Worse, “since LPM support is implemented in hardware, it cannot be removed” by system updates. And firmware-level exploits leveraging low power modes could be extremely difficult to detect; malware can sometimes be identified simply because it causes more battery drain.

Before you go and trade your iPhones for a flip phone, it’s worth noting that the exploit detailed in the paper requires a jailbroken iPhone, significantly decreasing the chances regular users will be affected by this exploit. The researchers also shared their findings with Apple, which will likely seek to address these concerns on future devices.

Still, it goes to show that with every convenient new feature, there’s a new opportunity for bad guys to exploit. It is not inconceivable for hackers to find ways to jailbreak iPhones remotely, as happened with Pegasus. For every exploit made public early, there are others we don’t find out about until it’s too late.

The researchers acknowledge that LPM applications are meant to increase security and safety for most users, but say “Apple should add a hardware-based switch to disconnect the battery. Such a change “would improve the situation for privacy-concerned users and surveillance targets like journalists.”

Via Ars Technica

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with