Skip to content
Attackers can target iPhones even when they are turned off, due to how Apple implements standalone wireless features Bluetooth, Near Field Communication (NFC ) & Ultra-wideband ( UWB) technologies in the device, researchers have found.
Wireless features Bluetooth, NFC & UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.
Secure Element (SE)
These features have access to the iPhone’s Secure Element (SE), which stores sensitive info – stay on even when modern iPhones are powered down, researchers from Germany’s Technical University of Darmstadt discovered.
This makes it possible, for instance, “to load malware onto a Bluetooth chip that is executed while the iPhone is off,” they wrote in a research paper titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone.”
Digital Car Keys
By compromising these wireless features, attackers can go on to access secure information such as a user’s credit card data, banking details or digital car keys on the device, researchers Jiska Classen, Alexander Heinrich, Robert Reith & Matthias Hollick of the university’s Secure Mobile Networking Lab revealed in the paper.
Though the risk is real, exploiting this is not so easy for would-be attackers, researchers suggested. Threat players would still need to load the malware when the iPhone is on for later use when it’s off, they stated.
This would require system-level access or remote code execution (RCE), the latter of which they could gain by using known flaws, such as BrakTooth, researchers outlined.
Cause of the Issue
The root cause of the issue is the current implementation of low power mode (LPM) for wireless chips on iPhones, researchers detailed in the paper. The team distinguished between the LPM that these chips run on against the power-saving app that iPhone users can enable on their phones to save battery life.
The LPM at issue is “either activated when the user switches off their phone or when iOS shuts down automatically due to low battery,” they wrote.
New Threats
While the current LPM implementation on iPhones increases “the user’s security, safety, & convenience in most situations,” it also “adds new threats,” researchers explained.
LPM support is based on the iPhone’s hardware, so it cannot be removed with system updates & thus has “a long-lasting effect on the overall iOS security model,” they outlined.
“The Bluetooth & UWB chips are hardwired to the SE in the NFC chip, storing secrets that should be available in LPM,” researchers explained. “Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”
Threat Scenario
Researchers analysed the security of LPM features in a layered approach, observing the impact of the feature on application-, firmware- and hardware-level security.
E.g., a potential threat situation that they outlined on the iPhone’s firmware assumes that an attacker either has system-level access or can gain remote code execution (RCE) using a known Bluetooth vulnerability, such as the mentioned Braktooth issue.
System-Level Access
In this sort of attack, a threat player with system-level access could change firmware of any component that supports LPM, researchers remarked. So, they maintain limited control of the iPhone even when the user powers it off, researchers commented.
“This might be interesting for persistent exploits used against high-value targets, such as journalists,” they wrote.
In the case of using an RCE flaw, players have a smaller attack surface but could still access data via NFC Express Mode, Bluetooth & UWB DCK 3.0, researchers note. However, “Apple already minimises the attack surface by only enabling these features on demand,” they explained.
Manipulation
Even if all firmware would be protected against manipulation, an attacker with system-level access could still send custom commands to chips that “allow a very fine-grained configuration, including advertisement rotation intervals & contents,” researchers noted.
This could let an attacker to create settings that would allow them to find a user’s device even more accurately than the legitimate user in the Find My application, for instance.
Apple’s Response & Potential Mitigation
Before publishing the paper, researchers reported their research to Apple, which did not provide feedback on the issues raised by their findings, they stated.
A possible solution to this issue would be for Apple to add “a hardware-based switch to disconnect the battery” so these wireless elements would not have power while an iPhone is powered down, researchers suggested.
“This would improve the situation for privacy-concerned users & surveillance targets like journalists,” they concluded.
