"Hackers Can Abuse Low-Power Mode to Run Malware on Powered-Off iPhones"

Security researchers from a university in Germany have analyzed the low-power mode (LPM) implementation on iPhones and found that it introduces potentially serious security risks, even allowing attackers to run malware on powered-off devices.  LPM is activated when the user switches off the iPhone or when the device shuts down due to low battery.  While the device appears completely turned off, LPM ensures that certain features are still available, including the Find My service (for locating a device), digital car keys, payment apps, and travel cards.  The researchers stated that while LPM has many benefits, it also introduces some security risks that cannot be ignored.  An analysis conducted by a team of researchers from the Secure Mobile Networking Lab at TU Darmstadt showed that, on recent iPhone models, Bluetooth, NFC, and Ultra-wideband (UWB) wireless communication systems remain active even after the device has been shut down.  They analyzed the features introduced in iOS 15.  The researchers noted that the Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM.  Since LPM support is implemented in hardware, it cannot be removed by changing software components.  As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown, the researchers explained.  The researchers checked if applications that rely on LPM (e.g., Find My) work as intended and whether they impact hardware and firmware security.  In the firmware-focused analysis, the researchers assumed the attacker had privileged firmware access, being able to send custom commands to the firmware, modify the firmware image, or achieve code execution over the air.  The researchers claim that once the firmware has been compromised, the attacker can maintain limited control of the device even after it has been powered off by the user, which could be useful for persistent exploits.  In the case of the hardware layer, the researchers assumed that the attacker did not manipulate hardware.  They focused on determining which components could be powered on without the user’s knowledge and which applications could be built.  The researchers also detailed how Bluetooth LPM firmware can be changed to run malware on an iPhone 13 when the device is powered off.  This is possible because the firmware is not signed or encrypted, and the Bluetooth chip does not have secure boot enabled.

SecurityWeek reports: "Hackers Can Abuse Low-Power Mode to Run Malware on Powered-Off iPhones"