A team of researchers at from University of Darmstadt in Germany discovered it’s possible to run malware on an iPhone that has been turned off. The reason this is possible comes down to how the Find My feature works.
It’s still possible to locate an iPhone that has been turned off using the Find My feature, which relies on a Bluetooth chip running in a low-power mode (LPM) set aside for NFC, ultra wideband, and Bluetooth functionality. What the researchers found is that the Bluetooth chip firmware isn’t encrypted and requires no digital signing. It’s therefore possible to exploit the lack of security and run malicious firmware on the chip instead.
Researchers paper, entitled as “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones,” that the “design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications.” The Find My feature falls into this category, and is exploitable in iOS 15.
Taking advantage of this security oversight requires a jailbroken iPhone. However, the research has highlighted a risk exists for always-on features of iPhones to be exploited in the future, especially if Apple isn’t implementing firmware protection for the chips that are allowed to run in this LPM state.
Apple was contacted by the research team regarding the potential security risk this poses, but has yet to respond. Apple engineers did take the time to review the research paper before it was published, though. As the exploit currently requires a jailbreak to work, it would hazard a guess Apple will quietly lock down the Bluetooth chip firmware in the near future as a precaution.