What would you do if you discovered malware on your iPhone?
Your first instinct might be to turn it off to stop malicious espionage. Unfortunately, even that might not be enough.
A new type of malware conceived by researchers at the Technical University of Darmstadt could run even when the phone is turned off. And no, I’m not talking about a fake NSA-style shutdown screen.
“Baloney!” you scream. How can malware work without electricity? The simple answer is that these days, devices are rarely completely “off”.
The investigation is summarized in the following 1-minute video:
The exploit takes advantage of the iPhone’s Low Power Mode, which is supported by all iPhones since 2018, starting with the iPhone Xr and Xs. This mode allows the NFC, Ultra-Wideband, and Bluetooth chips to absorb a little power when the rest of the phone is off.
Since iOS 15, these chips can work indefinitely, allowing your phone to be found via Find My, as well as allowing features like Express Cards and Car Key to remain functional.
That’s obviously very useful if you ever lose your phone, but it does open up the possibility of a new type of malware that can run until your battery is completely drained, 100%.
The Bluetooth chip has its own firmware that can run separately from the main processor. This firmware is at the heart of the studio; according to the researchers, it is completely unsigned, “has no protection against modification” and “attackers could run Bluetooth malware even after shutdown.”
The Bluetooth and UWB chips are connected to Apple’s NFC chip secure element, which stores information for Apple Pay, Car Keys and Express Cards. Basically, that means that the information stored in the Secure Element can be accessed by attacking the firmware of the Bluetooth chip.
Worse yet, “because LPM support is implemented in hardware, it cannot be removed” by system updates. And firmware-level vulnerabilities that take advantage of low-power modes could be extremely difficult to detect; Sometimes malware can be identified simply because it consumes more battery power.
Before you go and trade in your iPhones for a flip phone, it’s worth noting that the exploit detailed in the document requires a jailbroken iPhone, which significantly reduces the chances of regular users being affected by this exploit. The researchers have also shared their findings with Apple, which will likely look to address these concerns in future devices.
Still, it goes to show that with every new convenient feature, there’s a new opportunity for the bad guys to blow up. It’s not inconceivable that hackers would find ways to remotely jailbreak iPhones, as happened with Pegasus. For every exploit that is made public ahead of time, there are others that we don’t find out about until it’s too late.
The researchers acknowledge that LPM apps are meant to increase security for most users, but say that “Apple should add a hardware-based switch to disconnect the battery. Such a change would “improve the situation for users concerned about privacy and surveillance targets like journalists.”
Via Ars Technica