Some days ago, a follower asked me for more information about an article announcing the possibility of hacking iPhones even when switched off.

Actually, the situation is not that serious, but let’s take a step back.

iphone
“slide to power off”

Find My

In 2021, Apple announced that its Find My service for locating lost devices would work even when the device is powered off. This improvement is available on all Apple smartphones since the iPhone 11.

For example, if you lose your phone somewhere and its battery dies after a while, it won’t shut itself down completely, but will go into a low-power mode, leaving only a very limited set of modules. These are mainly the radio modules Bluetooth, Ultra Wideband (UWB) and NFC. There’s also something called Secure element, a security chip that stores your most valuable secrets, such as credit card details.

Bluetooth in low power mode is used for data transfer, while UWB is used for smartphone positioning. In low-power mode, the smartphone sends information about itself that can be picked up by passers-by’s iPhones. When the owner of the lost phone logs into their Apple account online and marks the phone as lost, information from nearby smartphones is used to track the device’s whereabouts.

The research paper

Some weeks ago, researchers at Darmstadt University’s Secure Mobile Networks Laboratory published a paper describing a theoretical way to hack an iPhone even when the device is turned off. The research examines how the wireless module works and finds ways to develop malware that can run completely independently of iOS.

The researchers envisioned a scenario where an attacker would bring an infected phone close to a victim’s device and deliver malware that would then steal payment card information and even virtual car keys.

However, the paper’s authors didn’t really prove it, and are some step away from an actual attack implementation, with some truly usable evil loaded into smartphones. Still, even without this, researchers have done a lot to analyze the phone’s undocumented capabilities, reverse engineer its Bluetooth firmware, and model various scenarios where the wireless module is used.

In fact, the team’s key finding was that the firmware of the Bluetooth module was not encrypted and protected by Secure Boot technology. Secure Boot includes multiple levels of verification of program code at boot time so that only firmware authorized by the device manufacturer can run.

The lack of encryption makes it possible to analyze the firmware and search for vulnerabilities that can be exploited later.

Of course, this is not enough for serious practical attacks. To do this, attackers must analyze the firmware, try to replace it with their own, and find a way to break in. The authors of the paper detail a theoretical model of the attack, but don’t actually show that the iPhone can be hacked via Bluetooth, NFC, or UWB. It is clear from their results that if these modules are always enabled, the exploit always works too.

Conclusions

Apple shrugged off the study and declined to comment. On the bright side, the paper has no direct impact on the average user: the data obtained in the research is not sufficient for an actual attack.