The iPhone does not completely shut down when you turn it off because it is not completely powered down. Researchers have devised a new kind of malware that can run even when the phone’s power is not on. This new type of malware was spotted by researchers at the Technical University of Darmstadt.
It is possible to find a lost or stolen device using the chips that are on the device, which run in a low-power mode during this time. When there is no battery left on an iPhone, the Find My feature can be used, or a credit card and car keys can be used to locate the device.
Unfortunately, one of the things that emerged is that the Bluetooth chip on the iPhone does not have the capability to sign or encrypt the firmware that runs on it.
Technical Analysis
In order to exploit the vulnerability, the exploit leverages the Low Power Mode in iPhones for making the exploit accessible. As of 2018, every iPhone has a Low Power Mode starting with iPhone Xr and XS.
When entering the “power reserve” Low Power Mode (LPM), the process of shutting down iOS takes advantage of the fact that Bluetooth, Near-Field Communication (NFC), and Ultra-Wide Band (UWB) chips continue to operate while iOS is turned off.
With iOS 15, these chips can run continuously, so you can locate your phone via the Find My feature. In addition to that, it also ensures that features such as Express Cards and Car Keys continue to function.
It turned out to be the first major study to analyze the potential risk posed to the users by the low power consumption smart chips.
A device can run in a special mode that runs near-field communication, ultra-wideband, and Bluetooth chips for up to 24 hours after they are turned off using the LPM.
Here’s what the researchers stated:-
“The current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates.”
“Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”
“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”
However, the findings are not readily useful for real-world applications since infecting an iPhone requires a jailbroken device, which is by itself a very difficult task to accomplish, especially in an adversarial environment.
The possibility of hackers finding a way of jailbreaking iPhones remotely is not inconceivable, as occurred during the Pegasus incident.
While to mitigate such a situation Apple should add a hardware switch to disable the battery in LPM applications, which increases security and safety for most users.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
