Hackers can exploit iPhones' low-power mode to run malware even when device is off, researchers warn

Wireless chips in modern iPhones pose a new threat model

Researchers from the Technical University (TU) of Darmstadt's Secure Mobile Networking Lab examined the low-power mode (LPM) implementation on iPhones and discovered that it poses major security risks, even allowing attackers to operate malware on switched-off devices.

LPM features, which were introduced with iOS 15 last year, are activated when the user turns off the device or when the iPhone shuts down due to low battery.

While the device seems to be completely shut off, LPM permits near-field communication (NFC), ultra wideband (UWB), and Bluetooth chips to function in a special mode that can remain on for 24 hours.

This ensures that some functions, such as Find My service (for locating a device), payment apps, digital car keys, and travel cards are still available even after the device's battery runs out.

The researchers point out in their paper [pdf] that the LPM analysed in this study should not be confused with iOS's low-power mode for saving battery life.

"The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM," the researchers say, describing the current LPM implementation on Apple iPhones as "opaque" and adding new threats.

"Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model."

According to researchers, the Bluetooth firmware is neither signed nor encrypted, allowing a malicious actor with privileged access to create malware capable of running on an iPhone Bluetooth chip even when it is turned off.

However, as pointed out in the paper, an attacker would have to first hack and jailbreak the iPhone (which is surely a challenging task) in order to gain access to the Bluetooth chip and exploit it.

Nonetheless, spyware like Pegasus - sophisticated smartphone attack tool from Israel's NSO Group that governments around the world use to spy on opponents - might benefit from targeting the always-on functionality in iOS, according to researchers.

They conclude that while Apple's use of LPM improves customers' security by allowing them to discover a lost or stolen phone, this functionality also introduces a new threat model because the wireless chips are still on.

In addition to allowing malware to run while the device is off, exploits targeting LPM may also allow malware to operate invisibly, as LPM allows firmware to save battery power, the researchers warn.

"[Low-Power Mode] is a relevant attack surface that has to be considered by high-value targets such as journalists, or that can be weaponized to build wireless malware operating on shutdown iPhones," the paper read.

The research team informed Apple of their results, but received no response before their work was published last week.

The researchers will report their findings at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week in San Antonio.

Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free.