Overview: Researchers at the Technical University of Darmstadt in Germany have demonstrated the ability to load malware onto an iPhone even when it is turned off. There’s no evidence it’s been mined in the wild, and it might not even be viable on its own, but the question might give Apple something to think about.
The exploit is tied to a feature in iOS 15 that allows Find My to work for several hours after a device is shut down. In particular, chips used for Bluetooth, Near Field Communication (NFC), and Ultra Wideband (UWB) continue to operate in Low Power Mode (LPM) even after a user-initiated shutdown.
This power saving mode differs from the one indicated by the yellow battery icon.
When evaluating the LPM functionality, the researchers found that the Bluetooth LPM firmware is neither signed nor encrypted. Given the right circumstances, the team says this firmware could be modified to run malware. These favorable terms include a jailbroken iPhone, preferably with system-level access. If you already have that level of access, a Bluetooth chip exploit like the one offered here would probably be redundant.
The researchers said they informed Apple of the issues, but the company has not commented. Likewise, when contacted by Motherboard, Apple declined to comment.
Security researcher Ryan Duff told Motherboard, “It’s not really a standalone attack without additional vulnerabilities and exploits.”
“It may be possible to directly exploit the Bluetooth chip and modify the firmware, but researchers have not done this and there are currently no known exploits that would allow this,” added Duff.
In its report published on arXiv, the team said it believes LPM “is a relevant attack surface that needs to be considered by high-value targets such as journalists, or it can be used as a weapon to create wireless malware that runs on powered-off iPhones.” “.
Credit: Caleb Oquendo, MacRumors