What would you do if you discovered malware on your iPhone?
Your first instinct might be to turn off the damn thing to stop malicious snooping. Unfortunately, even that may not be enough.
“Nonsense!” you call. How can malware run without electricity? The simple answer is that devices are rarely completely “off” these days.
The research is summarized in the 1-minute video below:
The exploit uses the iPhone’s Low Power mode, which has been compatible with every iPhone since 2018, starting with the iPhone Xr and Xs. In this mode, the NFC, Ultra-Wideband, and Bluetooth chips can drink a bit of power when the rest of the phone is turned off.
That’s obviously very useful if you ever lose your phone, but it opens up the potential for a new kind of malware that can run until your battery is absolutely, 100% dead.
The Bluetooth chip has its own firmware that can run separately from the main processor. This firmware is at the heart of the research; according to the researchers, it is completely unsigned, has “no protection against modification” and “attackers can run Bluetooth malware even after shutdown.”
The Bluetooth and UWB chips are wired to the Secure Element in Apple’s NFC chip, which stores information for Apple Pay, car keys and Express Cards. That essentially means that the information stored in the Secure Element can be made accessible by attacking the Bluetooth chip’s firmware.
Worse, “since LPM support is implemented in hardware, it cannot be removed” by system updates. And firmware-level exploits that use power-saving modes can be extremely difficult to detect; malware can sometimes be identified simply because it causes more battery drain.
Before trading your iPhones for a flip phone, it’s worth noting that the exploit described in the paper requires a jailbroken iPhone, greatly reducing the chances of regular users being affected by this exploit. . The researchers also shared their findings with Apple, which will likely try to address these concerns in future devices.
Still, it goes to show that with every nifty new feature, there’s a new opportunity for bad guys to take advantage. It’s not inconceivable that hackers will find ways to jailbreak iPhones remotely, as happened with Pegasus. For every exploit that is made public early, there are others that we don’t find out until it’s too late.
The researchers acknowledge that LPM applications are intended to increase security and safety for most users, but say, “Apple should add a hardware switch to disconnect the battery. Such a change” would improve the situation for users who sensitive to privacy and surveillance targets such as journalists.”
Through Ars Technica