Your iPhone may be susceptible to threats even when powered off, researchers at Germany’s Technical University of Darmstadt have found
When the iPhone is turned off, most wireless chips, including Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB), keep running for up to 24 hours. This way, the phone still remains locatable via the Find My network and you are still able to access items like credit cards, student passes, and digital keys.
These wireless chips have direct access to the secure element and apparently, this could be exploited to install malware on the iPhone even when iOS is not running.
The wireless chips run in a Low-Power Mode (LPM), not to be confused with the energy-saving mode that extends battery life. Support for LPM is implemented in the hardware, meaning this problem cannot be fixed with a software-side fix.
Researchers conducted a security analysis of LPM features introduced with iOS 15 and have found that Bluetooth LPM firmware can be modified to run malware on the iPhone. These loopholes have not been looked into before and may allow hackers with system-level access to track someone’s location or run new features on a phone.
The issue seems to stem from the fact that LPM features have been designed around functionality and apparently not much thought was given to possible threats outside of the intended applications.
Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access.
notes that most iPhone users have nothing to worry about as infections required a jailbroken iPhone. Still, the security hole could be used by spyware like Pegasus
to target people and might even be used to infect chips in the event bad actors discover flaws that are susceptible to over-the-air exploits.
The findings were disclosed to Apple and the company also read the paper but did not provide any feedback.