Overview: Researchers at the Technical University of Darmstadt in Germany have demonstrated the ability to load malware on an iPhone even when it’s turned off. There is no evidence that it was mined in the wild and it might not be viable on its own, but the question might give Apple something to think about.
The vulnerability is related to a feature in iOS 15 that allows Find My to run for several hours after a device is turned off. Specifically, the chips used in Bluetooth, Near Field Communication (NFC), and Ultra Wideband (UWB) continue to operate in Low Power Mode (LPM) even after being turned off by the user.
This low power mode is different from the mode indicated by the yellow battery icon.
When evaluating the functionality of the LPM, the researchers found that the Bluetooth LPM firmware was neither signed nor encrypted. Under the right conditions, the team says this firmware can be modified to run malware. These favorable conditions include a jailbroken iPhone, preferably with system-wide access. If you already have that level of access, exploiting a Bluetooth chip like the one shown here will likely be redundant.
The researchers say they reported the issues to Apple, but the company has not commented. Similarly, Apple declined to comment when contacted by Motherboard.
“It’s not a stand-alone attack without additional security holes,” security researcher Ryan Duff told Motherboard.
“It may be possible to exploit the Bluetooth chip and modify the firmware directly, but the researchers did not do this and there are currently no known vulnerabilities that would allow this,” Duff added.
In its report published on arXiv, the team said it believes LPM is a “relevant attack surface that must be considered by high-value targets such as journalists, or it can be weaponized to create wireless malware that runs on decommissioned iPhones.”
Image credit: Caleb Oquendo, MacRumors
