We have always believed that a switched off phone thwarts an attack on it, it cannot be continuously traced or tracked, but cybercriminals find ways to penetrate even a switched off phone. We also consider the iPhone as the most secure of all mobile devices but it can also be insecure. Researchers from the Secure Mobile Networking Lab at the University of Darmstadt in Germany have published a paper that describes a theoretical method for hacking an iPhone – even when the device is turned off.
According to the Kaspersky blog, the study examined the operation of the wireless module, finding ways to analyze the Bluetooth firmware and, consequently, to present malware capable of running completely independently of the device’s operating system iOS.
In 2021, Apple announced that the Find My service, which is used to locate a lost device, would now work even when the device was switched off. This improvement is available in all Apple smartphones since the iPhone 11. Even when lost, it does not turn off completely, but switches to low power mode, keeping only a very limited number of modules alive. These are mainly Bluetooth and Ultra Wideband (UWB) wireless modules, as well as NFC.
Bluetooth in low power mode is used for data transfer, while UWB – for determining the location of the smartphone. In low power mode, the smartphone sends information about itself.
Researchers in Germany conducted a detailed analysis of Find My Service in low power mode, and discovered some previously unknown symptoms. After the power is turned off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect a truly locked iPhone.
The main finding was that the firmware of the bluetooth module is not encrypted and is not protected by secure boot technology. The lack of encryption allows the analysis of firmware and the discovery of vulnerabilities, which can then be used in attacks. The absence of Secure Boot allows an attacker to go ahead and completely replace the manufacturer’s code, which the Bluetooth module then executes.