You can Install Malware on iPhone When it is Powered Off- Research

Attackers can Install Malware on iPhone When it is Powered Off – Research

The iOS Find My feature has a safety loophole that can lead to infecting the iPhone even if the phone is off.

Academic researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt have identified a unique way of infecting an iPhone by loading malware while the phone is off.

Researchers will present their findings at the ACM Conference on Security and Privacy in Wireless Mobile Networks/ WiseSec 2022.

How does the Attack work?

The attack occurs after tampering with the iOS firmware and loading the malicious software onto a wireless Bluetooth chip with Near-field Communication and Ultra-Wideband. The attacker needs to execute the chip to infect the phone when it is off. The chip continues to operate when the system is off, and the Low Power Mode (LPM) is activated.

While the three wireless chips can facilitate Find My and Express Card transaction features, these can directly access the secure element. Basically, the ultra-wideband (UWB) (supported by iPhone 11, 12, and 13) and the Bluetooth chips are hardwired to the NFC chip’s Secure Element and can easily access confidential data.

You can Install Malware on iPhone When it is Powered Off- Research

“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown,” researchers wrote in the paper titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones.”

Researchers regarded the LPM feature as Opaque and highlighted that it sometimes fails to initialize Find My ads when the phone is off. Moreover, the Bluetooth firmware is not encrypted or signed.

You can Install Malware on iPhone When it is Powered Off- Research

An attacker can exploit this flaw to execute the malware on an iPhone Bluetooth chip. However, the adversary must possess privileged access. Furthermore, the attacker must communicate to the firmware via the OS, modify its image or obtain code execution on an LPM-activated chip by exploiting another flaw such as BrakTooth to exploit the loophole successfully.

What is LPM?

This feature was introduced in 2021 with iOS 15. It helps the user track lost devices using the Find My network and stays available even when the phone is out of battery power or is off. Before the phone shuts down, a message states the device will remain findable despite being off, and the Find My feature will locate it in case it is lost or stolen. The phone will be accessible when powered off or is in power reserve mode.

More iPhone Tech & Hack on

  1. A bug lets you crash anyone’s iPhone with a text message
  2. SolarWinds hackers exploited iOS 0-day to compromise iPhones
  3. Apple’s neuralMatch tool will scan iPhones for child abuse content
  4. iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
  5. NSO zero-click iMessage exploit hacks iPhone without the need to click links
Related Posts