Researchers at the Secure Mobile Networking Lab at the University of Darmstadt in Germany have published a paper that describes a theoretical method for hacking an iPhone – even if the device is turned off. The study examined the operation of wireless modules, found ways to analyze Bluetooth firmware and, consequently, to introduce malware capable of functioning completely independently of iOS, the device's operating system.
With a little imagination, it's not difficult to conceive of a scenario where an attacker keeps an infected phone next to the victim's device and downloads malware, which could steal payment card information or even the virtual car key.
But for now, this is still in the realm of hypothesis. This is because the authors of the article did not demonstrate the risk, and stopped one step away from a practical implementation of the attack in which something really useful and unpleasant is loaded onto the smartphone. Even so, the researchers did a lot by analyzing the phone's undocumented functionality, reverse engineering its Bluetooth firmware, and modeling various scenarios for using wireless modules.
So if the attack didn't happen, what is this post about? Let's explain, don't worry, but first an important statement: if a device is turned off, but interaction with it (hacking, for example) is still possible, then…. he is not completely turned off!
How did we get to the point where turning something off doesn't necessarily mean it's really off? Let's start from the beginning:
- Apple's Low Power Mode
In 2021, Apple announced that the service Find My Device, used to locate a lost device, will now work even if the device is turned off. This improvement is available on all Apple smartphones since the iPhone 11 model.
If, for example, you lose your phone somewhere and its battery runs out after a while, it doesn't turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily wireless modules, Bluetooth and Ultra WideBand (UWB), as well as NFC. There is also the so-called Secure Element – a secure chip that stores your most precious secrets, such as credit card details for contactless payments or car keys – the latest feature available since 2020 for a limited number of vehicles.
Bluetooth in low power mode is used for data transfer, while UWB is used to determine the location of the smartphone. In low-power mode, the smartphone sends information about itself, which the iPhones of passers-by can pick up on. If the owner of a lost phone logs into their Apple account online and marks the phone as lost, information from surrounding smartphones is used to determine the location of the device.
The announcement quickly sparked a heated discussion among information security experts about the potential multiple security risks. The team of researchers from Germany decided to test the possible attack scenarios in practice.
- First, researchers performed a detailed analysis of the Find My Device service in low-power mode and discovered some previously unknown features. After shutting down, most of the work is done by the Bluetooth module, being recharged and configured by a set of iOS commands. It then periodically sends data packets over the air, which allows other devices to detect the iPhone as being nearly powered down .
- It turned out that the duration of this mode is limited: in the iOS 15.3 version, only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and turned off iPhone can be found for only 24 hours. If the phone is turned off due to a low battery, the window will be even smaller – around five hours. This could be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is turned off, the “beacon” mode is not activated, although it should be.
- The most interesting thing here is that the Bluetooth module is reprogrammed before being turned off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the owner's detriment?
Attack on a disconnected phone
In fact, the team's main finding was that the firmware of the Bluetooth module is not encrypted and is not protected by Secure Boot technology. Secure Boot involves multi-stage verification of program code at boot so that only firmware authorized by the device manufacturer can run.
The lack of encryption allows analysis of the firmware and the search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturer's code with his own, which the Bluetooth module executes. For comparison, analysis of the firmware of the iPhone's UWB module revealed that it is protected by Secure Boot, although the firmware is not encrypted either.
Apple was unimpressed with the study and declined to respond. This in itself, however, says little: the company is careful to maintain an image of indifference even in cases where the threat is serious and demonstrated in practice.
On the positive side, the article has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a foolproof solution, the authors suggest that Apple implement a hardware switch that completely kills the phone's power. But given Apple's phobia of physical buttons, you can be pretty sure that shouldn't happen.
