Exposing iPhones to attack even if they are turned off!

A team of researchers from the Technical University of Darmstadt in Germany discovered that Bluetooth, NFC [1] and UWB [2] features  are still active even when iPhone phones are turned off. In an article titled "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone," they point out that it's possible to load malware onto the iPhone's Bluetooth chip even when it's turned off. Also, Jessica Klaasen from colleagues added that by compromising the mentioned features, attackers can access secure information such as user's credit card data, bank details or even digital car keys on the mobile phone.

Although this risk is real, exploiting this scenario is not so easy for attackers. Researchers believe that threat actors must load the malware while the iPhone is on in order for it to run after it is turned off. This requires system-level access or remote code execution; This can be done using known flaws like BrakTooth.

What is the cause of this?

The main cause of the problem is the implementation of Low Power Mode or LPM for the iPhone's wireless chips. The researchers distinguished between the LPM that the chips run on and the power-saving programs of iPhone users. The LPM in question is for when the user turns off their phone, activates, or when iOS shuts down automatically due to low battery. The implementation of LPM has provided security, safety and convenience to users but has also added new threats. LPM support is based on iPhone hardware, so it cannot be removed with system updates. Therefore, it has a long-term impact on the overall security model of iOS. Bluetooth and UWB chips to SE [3]They are connected in the NFC chip and store the secrets in the LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, in iPhones, the wireless chips can no longer be trusted to turn off after powering down. This creates a new threat model.

Apple's response and possible mitigation of risk

The researchers reported their research to Apple before publishing the paper, which did not provide feedback on the issues raised. A potential solution to this scenario is for Apple to add a hardware battery kill switch so that these wireless elements don't have power when the iPhone is turned off.

Security researchers believe this will improve the situation for users concerned about privacy and surveillance purposes, such as journalists.