Install malware on a smartphone while it is turned off? Researchers have found that this is a realistic scenario. They managed to install malicious software on an iPhone running iOS 15 while it was disabled.
This is what German security researchers from TU Darmstadt write in their research paper.
Bluetooth has direct access to Secure Enclave
When you turn off an iPhone, it won’t turn off completely. Some chips in the smartphone end up in a saving mode so that they continue to work. This is a conscious choice by Apple: for example, it is possible to locate stolen or lost devices with services such as Find My iPhone, Express Cards and Digital Car Key. These are Bluetooth, Near Field Communication (NFC) and Ultra-Wideband (UWB).
Security researchers at TU Darmstadt have found a way to abuse the always-on mechanism of these wireless applications to install malware. Research shows that all three components have direct access to an iPhone’s Secure Enclave.
Secure Enclave is a subsystem that improves the security of your device (biometric data in particular) and private data. This data is not stored in memory but on a separate chip.
Security measures offline when iPhone is turned off
It works like this. Turning off your iPhone will turn off the operating system. Security measures that Apple has taken to prevent the firmware from being modified also no longer work. The US tech company’s Bluetooth chip has no mechanism for digitally signing or encrypting the firmware running on it. As a result, it is theoretically possible to trace an iPhone and perform new functions.
Installing malware is an example of this. Because all security measures are disabled when an iPhone is turned off, it is possible to install malicious software on the phone. After all, there is no check to stop the installation.
Software update doesn’t help
“The current LPM implementation on iPhones is opaque and adds new threats,” the researchers write in their paper. The biggest danger is that LPM support is hardware-based, which means that the problem cannot be solved with a software update. LPM is a power-saving mode that allows Bluetooth, NFC and UWB to run in a special mode after an iPhone is turned off.
The researchers further say, “LPM feature design appears to be primarily functionality-driven, without regard for threats beyond the intended applications. Find My iPhone turns disabled iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not protected against tampering.”
According to the researchers, there is no evidence that this exploit was actually used. Ars Technica points out that the always-on function in iOS 15 can be abused by hackers, for example, to install spy software such as Pegasus. In theory, it is also possible to infect chips that are sensitive to these kinds of over-the-air exploits.
Apple has not yet responded to the research report from TU Darmstadt. This week they will present their findings at the ACM WiSec conference in the US city of San Antonio. The conference focuses on the security of wireless devices.
Catch up on more articles here
Follow us on Twitter here