iPhones Can Run Malware When Powered Off? That’s A Surprise

Researchers have found that Apple phones may allow the execution of malware even when they’re not turned on.

The “Find My” function on iOS has an attack surface that allows firmware tampering, with the ability to load and execute malware via a Bluetooth chip. These types of wireless chips, which also include Near-field communication (NFC) and ultra-wideband (UWB), can operate when iOS is in a Low Power Mode (LPM). This power mode was introduced with iOS 15, and allows iPhones to track devices using the Find My function even when the phone is out of battery of has been shut off.

The three chips (Bluetooth, NFC and UWB) all have access to the Secure Element in the NFC chip, which poses a security threat. LPM is implemented in hardware, meaning that changing software components is futile. This creates an issue where wireless chips may not be fully turned off after shutdown.

Researchers found that an attacker could compromise the firmware by communicating via the OS, modifying the firmware image, or gaining code execution on an LPM chip. By altering the LPM and embedding malware, a threat actor could spy on a target remotely via their Find My Bluetooth broadcasts.

Considering the fact that LPM support goes through iPhone’s hardware, there’s no way to remove the threat via system updates. While Apple could implement a switch to disconnect the battery, it seems unlikely that they will do so at this time.

Sign up to our mailing list to receive more IT related educational information: