iPhones Vulnerable to Attack Even When Turned Off | Threatpost
Attackers can target iPhones even if they are turned off because of how Apple implements standalone wireless technology such as Bluetooth, NFC and UWB. This information is stored in the secure element, which stays active even when the phone is turned off.
A hacker could easily compromise your phone by turning off your phone and loading malicious software into your phone. This means you should turn off your phone when you’re not using it.
Though the risk is real, exploiters would still need to load malware when the phone is on for later execution after it’s turned off. This requires system level access or remote code execution. These exploits can be gained by using known flaws such as BrakToThroat.
Root of the Issue
Low power mode causes problems when used by mobile devices such as smartphones. This problem is caused by the fact that some apps use more power than others. Some apps are even designed to be active during this time. Apple should make sure that developers do not use too much power or else there could be issues with the device.
The LPM at issue is “either activated when the user swipes their finger across the screen or when iOS shuts down due to low battery”. While the current LPM implementations increase users’ security, safety, and comfort in most situations, it also adds new threats.
Apple has been using the same technology for years, but now it is being used as an attack vector.
Sample Threat Scenario
Researchers observed that LPM features provide more security than other features. A potential threat scenario that they described assumed that an attacker either had system-level access or could gain RCE using a known Bluetooth vulnerability.
Apple devices use an operating system called iOS, which includes a feature called Low Power Mode (LPM). When the device goes into sleep mode, it shuts down most of the features of the phone except for the ones needed to wake it up again. In other words, if you turn your phone off, it won’t work until you turn it back on. But if someone hacks into your phone, he or she can make it work without turning it on.
Apple devices have a smaller attack surface than Android devices, but attackers could still use NFC Express Mode, Bluetooth, and UWB DCK3.0. An attacker with system-level privileges could still send custom commands that allow them to configure advertising intervals and contents.
This could allow attackers to use location-based services to pinpoint users’ devices. For example, if someone were to hack into your phone and turn off the location service, you wouldn’t be able to see where your phone was.
Apple’s Response and Potential Mitigation
Researchers reported their findings to Apple, but Apple didn’t respond to them. A possible solution would be to add a hardware-based switch to turn off the wireless components when the phone is turned off.
This would improve the situation for people who want to protect their privacy. Surveillance targets like journalists could use this technology to avoid being tracked by the government.