Well, it seems our iPhones aren’t exactly as secure as we thought. Turns out that the nifty Find My device feature can actually be used for evil, not just when you lose your iPhone. Not only can the Find My feature be used to track your device without permission, but it can also allow someone to run malware on your iPhone even when it’s turned off.
Scholars at Germany’s Technical University of Darmstadt discovered a flaw in the iPhone’s design that let them take advantage of the device’s Bluetooth chip, which is what makes the Find My function work. Discover how this hack is possible on your iPhone and how you can attempt to prevent a malware attack.
How does it work?
Although unknown to many, when you turn off an iPhone, it doesn’t completely shut down. Chips inside the device continue to operate in a low-power mode. This is what makes it possible to find lost or stolen appliances using the Find My feature or use credit cards & car keys after the battery dies.
Now, researchers have uncovered a way to manipulate this setting to run malware that remains active even when an iPhone seems to be shut off. Apparently, the iPhone’s Bluetooth chip, which can locate devices, has no tool for digitally signing or even encrypting the firmware it runs.
German researchers calculated how to manipulate this lack of security to run malware that allows the attacker to track the phone’s location or run new features when the device is turned off. This is considered one of the first studies to focus on the security risks caused by iPhone chips in low-power mode.
Low-Power Mode keeps Bluetooth on 24/7
Not to be confused with iPhones’ low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra-wideband, and Bluetooth to run in a special mode that can remain on for twenty-four hours after a device is turned off.
“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”
They continued, “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”
The scholars revealed that Apple engineers reviewed their report before it was released, yet the company’s representatives never provided any feedback on its findings. Apple representatives never responded to an email from Wired seeking comment on the study.
Pros and Cons
Despite such findings, the Find My feature powered by LPM does provide security for those who have lost their devices or need to unlock car doors even when the device is dead. Except, research has proven that this handy feature may come with a dangerous downside.
“Hardware and software attacks similar to the ones described have been proven practical in a real-world setting, so the topics covered in this paper are timely and practical,” said John Loucaides, senior vice president of strategy at firmware security firm Eclypsium. “This is typical for every device. Manufacturers are adding features all the time, and with every new feature comes a new attack surface.”