The feature that lets Apple iPhone owners try to locate their stolen or lost devices can be exploited to run malware, a group of German researchers have found.
The findings were presented yesterday to the ACM’s WiSec 2022 conference by researchers Jiska Classen, Alexander Heinrich, Robert Reith and Matthias Hollick of TU Darmstat’s Secure Mobile Networking Lab.
In a paper posted to arXiv late last week, the researchers explained that to keep a phone locatable by the Find My network, most wireless chips remain active even if an iPhone is switched off.
As well as device location (implemented in Bluetooth), the researchers wrote that items in the phone’s digital wallet also remain accessible when a phone is switched off.
They analysed how these features are implemented, and what their security boundaries are.
What they found is that the iPhone’s power management system can power up the individual Bluetooth and ultra wideband (UWB) chips, in a low power mode (LPM) they describe as “significantly more stealthy than a fake power off that only disables the screen”.
“LPM is a relevant attack surface that has to be considered by high-value targets such as journalists, or that can be weaponised to build wireless malware operating on shutdown iPhones”, the researchers wrote.
“On recent iPhones, Bluetooth, near field communication (NFC), and ultra-wideband keep running after power off, and all three wireless chips have direct access to the secure element," the paper states.
Since those chips are hardwired to the secure element, they have access to secrets stored there – an implementation vulnerability can’t be fixed with a software patch.
“As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown”.
The researchers also found that there’s no mechanism for signing the firmware the Bluetooth processor runs, creating a potential exploit vector.
The researchers posted a video teaser of their presentation on YouTube.
