Researchers demonstrate how to install malware on iPhone after it's switched off

Apple logo on the side of a building
(Image credit: Shutterstock)

A team of German researchers have discovered a new threat model affecting Apple iPhones that allows malware to be installed on a device even when it’s switched off.

Researchers were able to show that malware could be installed on an iPhone’s Bluetooth chip - one of the few components that both remain active after the device is shut down, and also has access to an iPhone’s secure element.

The discovery is reliant on an iPhone user running iOS 15 or later since this was the release that added the functionality to find the device even after it had been shut down.

Most wireless chips remain activated on an iPhone for users who have enabled the ‘Find My network’ setting in Apple’s Find My app, even if it has been manually powered down.

These wireless chips: Bluetooth, NFC, and ultra-wideband (UWB) are all hardwired to the phone’s secure element - the area in which secrets are stored - and can therefore no longer be trusted components of the device, the researchers said, given that they are accessible after a shutdown.

The researchers were able to write to the Bluetooth chip in an iPhone 13 by exploiting a legacy feature that requires iOS to be able to write to the executable RAM regions using a vendor-specific host-controller interface (HCI) command.


The truth about cyber security training

Stop ticking boxes. Start delivering real change.


Attackers could theoretically modify the custom functionality of the Bluetooth chip during a low power mode, via malware, to send the device’s location to the attacker, or add new functionality entirely, the researchers said in a paper.

Although the attack is not currently exploited in the wild, and according to other researchers speaking to Vice, prospective attackers would need to chain this vulnerability with a separate exploit to execute it, the researchers’ work presents a new threat model to be aware of.

Businesses that have equipped their workforce with iPhones running iOS 15 or later should consider turning off the Find My network as a device policy before issuing to employees.

The researchers did stipulate that the Find My network feature did, overall, improve the security of the iPhone, despite the new threat model its new functionality presents.

IT Pro contacted Apple for a response but it did not reply at the time of publication and declined to comment on the story to other media outlets.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.