Overview: Researchers at the Technical University of Darmstadt in Germany have demonstrated the ability to load malware onto an iPhone even when it’s turned off. There’s no evidence that it’s been mined in the wild and it may not even be viable on its own, but the question might give Apple something to think regarding.
The exploit is tied to a feature in iOS 15 that allows Find My to work for several hours following a device shuts down. Specifically, chips used for Bluetooth, Near Field Communication (NFC), and Ultra Wideband (UWB) continue to operate in Low Power Mode (LPM) even following a user-initiated shutdown.
This low-power mode is different from that indicated by the yellow battery icon.
When evaluating LPM functionality, researchers found that Bluetooth LPM firmware is neither signed nor encrypted. Under the right circumstances, the team says this firmware might be modified to run malware. These favorable conditions include a jailbroken iPhone, preferably with system-level access. If you already have this level of access, a Bluetooth chip exploit like the one offered here would likely be redundant.
The researchers say they informed Apple of the issues, but the company has not commented on it. Similarly, Apple declined to comment when contacted by Motherboard.
Security researcher Ryan Duff told Motherboard “it’s not really a standalone attack without additional vulnerabilities and exploits.”
“It may be possible to directly exploit the Bluetooth chip and modify the firmware, but the researchers haven’t done this and there are currently no known exploits that would allow this,” Duff added.
In its report published on arXiv, the team said it believes LPM is “a relevant attack surface that must be considered by high-value targets such as journalists, or can be weaponized to create wireless malware running on turned off iPhones”.
Credit image: Caleb Oquendo, MacRumors