Experts show how to run malware on chips of a turned-off iPhone

Researchers devised an attack technique to tamper the firmware and execute a malware onto a Bluetooth chip when an iPhone is “off.”

A team of researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt demonstrated a technique to tamper with the firmware and load malware onto a chip while an iPhone is “OFF.”

Experts pointed out that when an iPhone is turned off, most wireless chips (Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB)) continue to operate.

The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.

The Low-Power Mode was implements with iOS 15, it is supported by iPhone 11, iPhone 12, and iPhone 13 devices.

Many users are not aware of these features, even if they are aware that their iPhone remains locable even when the device was turned off.

The experts mentioned the case of a user-initiated shutdown during which the iPhone remains locatable via the Find My network.

The researchers focused their analysis on how Apple implements standalone wireless features while the iOS is not running, they also discovered that the wireless chips have direct access to the secure element.

“LPM [Low Power Mode] support is implemented in hardware. The Power Management Unit (PMU) can turn on chips individually. The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components.” reads the paper published by the researchers. “As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model. Previous work only considered that journalists are not safe against espionage when enabling airplane mode in case their smartphones were compromised”

The experts explained that a threat actor has different options to tamper with firmware, which depend on their preconditions. Unlike NFC and UWB chips, the Bluetooth firmware is neither signed nor encrypted opening the doors to modification.

An attacker with privileged access can exploit this bug to develop a malware that can run on an iPhone Bluetooth chip even when it is off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model.” concludes the paper. “To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues. Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access.”

The researchers will present the results of their study at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022).

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, domain name system)

[adrotate banner=”5″]

[adrotate banner=”13″]