{"id":44530,"date":"2022-06-07T11:19:15","date_gmt":"2022-06-07T15:19:15","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=44530"},"modified":"2022-06-07T11:19:15","modified_gmt":"2022-06-07T15:19:15","slug":"hacking-powered-off-iphone","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/hacking-powered-off-iphone\/44530\/","title":{"rendered":"Hacking a powered-off iPhone: vulnerabilities never sleep"},"content":{"rendered":"

Researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper<\/a> describing a theoretical method for hacking an iPhone \u2014 even if the device is off. The study examined the operation of the wireless modules, found ways to analyze the Bluetooth firmware and, consequently, to introduce malware capable of running completely independently of iOS, the device\u2019s operating system.<\/p>\n

With a little imagination, it\u2019s not hard to conceive of a scenario in which an attacker holds an infected phone close to the victim\u2019s device and transfers malware, which then steals payment card information or even a virtual car key.<\/p>\n

The reason it requires any imagination at all is because the authors of the paper didn\u2019t actually demonstrate this, stopping one step short of a practical attack implementation in which something really useful<\/s> nasty is loaded into the smartphone. All the same, even without this, the researchers did a lot to analyze the undocumented functionality of the phone, reverse-engineer its Bluetooth firmware, and model various scenarios for using wireless modules.<\/p>\n

So, if the attack didn\u2019t play out, what\u2019s this post about? We\u2019ll explain, don\u2019t worry, but first an important statement: if a device is powered off, but interaction with it (hacking, for example) is somehow still possible, then guess what\u00a0\u2014 it\u2019s not completely off!<\/p>\n

How did we get to the point where switching something off doesn\u2019t necessarily mean it\u2019s actually off? Let\u2019s start from the beginning\u2026<\/p>\n

Apple\u2019s Low Power Mode<\/h2>\n

In 2021, Apple announced that the Find My service, which is used for locating a lost device, will now work even if the device is switched off. This improvement is available in all Apple smartphones since the iPhone 11.<\/p>\n

If, for example, you lose your phone somewhere and its battery runs out after a while, it doesn\u2019t turn off completely, but switches to Low Power Mode, in which only a very limited set of modules are kept alive. These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC. There\u2019s also the so-called Secure Element<\/a>\u00a0\u2014 a secure chip that stores your most precious secrets like credit card details for contactless payments or car keys \u2014 the latest feature available since 2020 for a limited number of vehicles.<\/p>\n

Bluetooth in Low Power Mode is used for data transfer, while UWB \u2014 for determining the smartphone\u2019s location. In Low Power Mode, the smartphone sends out information about itself, which the iPhones of passers-by can pick up. If the owner of a lost phone logs in to their Apple account online and marks the phone as lost, information from surrounding smartphones is then used to determine the whereabouts of the device. For details of how this works, see our recent post about AirTag stalking<\/a>.<\/p>\n

The announcement quickly prompted a heated discussion among information security experts about the maze of potential security risks. The research team from Germany decided to test out possible attack scenarios in practice.<\/p>\n

\"\"<\/a>

When powering off the phone, the user now sees the \u201ciPhone Remains Findable After Power Off\u201d message. Source<\/a><\/p><\/div>\n

Find My after power off<\/h2>\n

First of all, the researchers carried out a detailed analysis of the Find My service in Low Power Mode, and discovered some previously unknown traits. After power off, most of the work is handled by the Bluetooth module, which is reloaded and configured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices to detect the not-really-off<\/em> iPhone.<\/p>\n

It turned out that the duration of this mode is limited: in version iOS 15.3 only 96 broadcast sessions are set with an interval of 15 minutes. That is, a lost and powered-off iPhone will be findable for just 24 hours. If the phone powered off due to a low battery, the window is even shorter\u00a0\u2014 about five hours. This can be considered a quirk of the feature, but a real bug was also found: sometimes when the phone is off, the \u201cbeacon\u201d mode is not activated at all, although it should be.<\/p>\n

Of most interest here is that the Bluetooth module is reprogrammed before power off; that is, its functionality is fundamentally altered. But what if it can be reprogrammed to the detriment of the owner?<\/p>\n

Attack on a powered-off phone<\/h2>\n

In fact, the team\u2019s main discovery was that the firmware of the Bluetooth module is not encrypted and not protected by Secure Boot technology. Secure Boot involves multistage verification of the program code at start-up, so that only firmware authorized by the device manufacturer can be run.<\/p>\n

The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. But the absence of Secure Boot allows an attacker to go further and completely replace the manufacturer\u2019s code with their own, which the Bluetooth module then executes. For comparison, analysis of the iPhone\u2019s UWB module firmware revealed that it\u2019s protected by Secure Boot, although the firmware isn\u2019t encrypted either.<\/p>\n

Of course, that\u2019s not enough for a serious, practical attack. For that, an attacker needs to analyze the firmware, try to replace it with something of their own making, and look for ways to break in. The authors of the paper describe in detail the theoretical model of the attack, but don\u2019t show practically that the iPhone is hackable through Bluetooth, NFC or UWB. What\u2019s clear from their findings is that if these modules are always on, the vulnerabilities likewise will always work.<\/p>\n

Apple was unimpressed by the study, and declined to respond. This in itself, however, says little: the company is careful to keep a poker face even in cases when a threat is serious and demonstrated to be so in practice.<\/p>\n

Bear in mind that Apple goes to great lengths to keep its secrets under wraps: researchers have to deal with closed software code, often encrypted, on Apple\u2019s own hardware, with made-to-order third-party modules. A smartphone is a large, complex system that\u2019s hard to figure out, especially if the manufacturer hinders rather than helps.<\/p>\n

No one would describe the team\u2019s findings as breathtaking, but they are the result of lots of painstaking work. The paper has merit for questioning the security policy of powering off the phone, but keeping some modules alive. The doubts were shown to be justified.<\/p>\n

A half powered-off device<\/h2>\n

The paper concludes that the Bluetooth firmware is not sufficiently protected. It\u2019s theoretically possible either to modify it in iOS or to reprogram the same Low Power Mode by expanding or changing its functionality. The UWB firmware can also be examined for vulnerabilities. The main problem, however, is that these wireless modules (as well as NFC) communicate directly with the protected enclave that is Secure Element. Which brings us to some of the paper\u2019s most exciting conclusions:<\/p>\n

Theoretically, it\u2019s possible to steal a virtual car key from an iPhone \u2014 even if the device is powered off! Clearly, if the iPhone is the car key, losing the device could mean losing the car. However, in this case the actual phone remains in your possession while the key is stolen. Imagine it like this: an intruder approaches you at the mall, brushes their phone against your bag, and steals your virtual key.<\/p>\n

It is theoretically possible to modify the data sent by the Bluetooth module, for example, in order to use a smartphone to spy on a victim \u2014 again, even if the phone is powered off.<\/p>\n

Having payment card information stolen from your phone is another theoretical possibility.<\/p>\n

But all this of course still remains to be proven. The work of the team from Germany shows once more that adding new functionality carries certain security risks that must be taken into account. Especially when the reality is so different from the perception: you think your phone is fully off, when in fact it isn\u2019t.<\/p>\n

This is not a completely new problem, mind. The Intel Management Engine and AMD Secure Technology, which also handle system protection and secure remote management, are active whenever the motherboard of a laptop or desktop computer is connected to a power source. As in the case of the Bluetooth\/UWB\/NFC\/Secure Element bundle in iPhones, these systems have extensive rights inside the computer, and vulnerabilities in them can be very dangerous.<\/p>\n

On the bright side, the paper has no immediate impact on ordinary users: the data obtained in the study is insufficient for a practical attack. As a surefire solution, the authors suggest that Apple should implement a hardware switch that kills the power to the phone completely. But given Apple\u2019s physical-button phobia, you can be sure that won\u2019t happen.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Can a device be hacked when switched off? Recent studies suggest so. Let\u2019s see how this is even possible.<\/p>\n","protected":false},"author":665,"featured_media":44531,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1789,2683],"tags":[14,1250,26,2938,268],"class_list":{"0":"post-44530","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"category-threats","9":"tag-apple","10":"tag-ios","11":"tag-iphone","12":"tag-secure-element","13":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/hacking-powered-off-iphone\/44530\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/hacking-powered-off-iphone\/24251\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/hacking-powered-off-iphone\/19734\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/hacking-powered-off-iphone\/9949\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/hacking-powered-off-iphone\/26579\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/hacking-powered-off-iphone\/24537\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/hacking-powered-off-iphone\/24898\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/hacking-powered-off-iphone\/27262\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/hacking-powered-off-iphone\/33307\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/hacking-powered-off-iphone\/10759\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/hacking-powered-off-iphone\/19011\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/hacking-powered-off-iphone\/19560\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/hacking-powered-off-iphone\/28878\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/hacking-powered-off-iphone\/25103\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/hacking-powered-off-iphone\/30613\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/hacking-powered-off-iphone\/30362\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/ios\/","name":"iOS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/44530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=44530"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/44530\/revisions"}],"predecessor-version":[{"id":44534,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/44530\/revisions\/44534"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/44531"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=44530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=44530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=44530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}