A team of German researchers has discovered a new threat model affecting Apple iPhones that allows malware to be installed on a device even when it is turned off.
Researchers have been able to show that malware can be installed on an iPhone’s Bluetooth chip, one of the few components that remains active after the device is turned off and that it also has access to the security features of an iPhone.
The attack vector depends on an iPhone user running iOS 15 or later, as this was the version that added the functionality of finding a device even after it has been turned off.
Most wireless chips remain activated on an iPhone for users who have enabled the “Find My network” setting in Apple’s Find My app, even if it has been manually turned off.
Bluetooth, NFC and ultra-wideband (UWB) wireless chips are connected to the phone’s secure element – the area where secrets are stored – and therefore can no longer be trusted components of the device, according to the researchers, given that are accessible after a shutdown.
The researchers were able to write to an iPhone 13’s Bluetooth chip by leveraging a legacy feature that requires iOS to be able to write to executable RAM regions using a vendor-specific Host Controller Interface (HCI) command.
Attackers could, in theory, modify the Bluetooth chip’s custom functionality during a low-energy mode, via malware, to send the device’s location to the attacker, or add new functionality, the researchers said in their study, titled «Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones» (Evil Never Sleeps: When Wireless Malware Stays On After iPhones Are Turned Off.) 12-page PDF document. No registration required.