[German]A smartphone that is switched off is not off – we know this from movies where batteries are removed from smartphones and the devices are placed in a refrigerator or tin cans. It is certainly possible to run malware on an iPhone that is switched off. Security researchers from Darmstadt have just proven this in an experiment. It's a bit tricky and requires Bluetooth, NFC chips etc. in an iPhone – but it works.
Advertising
The info already came to my attention two days ago and is addressed in the following tweet – at Hackread there is this post about it. The security researchers around Jiska Classen, Robert Reith, Alexander Heinrich and Matthias Hollick from the Secure Mobile Networking Lab at the TU Darmstadt have described the whole thing in an 11 page document titled Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones (PDF). The research results are to be presented this week at WiSec 2022 (ACM Conference on Security and Privacy in Wireless and Mobile Networks).
In their work, the security researchers took advantage of the fact that most of the radio chips (for Bluetooth, near-field communication, NFC or WLAN) remain switched on and continue to be supplied by the battery when the iPhone is switched off. As a result, a device owner can also locate a switched-off iPhone, for example, using the "Find my network" function. If the battery charge runs out, the iPhone switches off automatically, but it switches to a power-saving mode internally, so it is not completely switched off even then. Users can still access data from credit cards, student IDs and other information stored in the wallet (digital wallet) on the iPhone in the security chip (Secure Enclave Processor).
The team at TU Darmstadt's Mobile Networking Lab has now analyzed how Apple implemented these standalone features, which provide wireless access to the digital wallet and work even when iOS is not running. The research paper shows that on current iPhones, Bluetooth, near field communication (NFC) and ultra-wideband (UWB) continue to work even after the device is turned off.
On the other hand, all three aforementioned wireless chips have direct access to the security chip where digital wallet data is stored. In their document, the team demonstrates that there is a way to load malware onto a Bluetooth chip of the iPhone. The malware can be executed while the iPhone is turned off.
Advertising
The details can be found in the PDF document Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones.
The whole thing is currently only proof that it works – but it shows what security problems lie dormant in modern devices. Even iPhones that are turned off can be turned into tracking and surveillance devices.
