Researchers demonstrate how to install malware on iPhone after it's switched off

A team of German researchers have discovered a new threat model affecting Apple iPhones that allows malware to be installed on a device even when it’s switched off.

Researchers were able to show that malware could be installed on an iPhone’s Bluetooth chip - one of the few components that both remain active after the device is shut down, and also has access to an iPhone’s secure element. 

The discovery is reliant on an iPhone user running iOS 15 or later since this was the release that added the functionality to find the device even after it had been shut down.

Most wireless chips remain activated on an iPhone for users who have enabled the ‘Find My network’ setting in Apple’s Find My app, even if it has been manually powered down.

These wireless chips: Bluetooth, NFC, and ultra-wideband (UWB) are all hardwired to the phone’s secure element - the area in which secrets are stored - and can therefore no longer be trusted components of the device, the researchers said, given that they are accessible after a shutdown.

The researchers were able to write to the Bluetooth chip in an iPhone 13 by exploiting a legacy feature that requires iOS to be able to write to the executable RAM regions using a vendor-specific host-controller interface (HCI) command.

Related Resource

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

Free download

Attackers could theoretically modify the custom functionality of the Bluetooth chip during a low power mode, via malware, to send the device’s location to the attacker, or add new functionality entirely, the researchers said in a paper.

Although the attack is not currently exploited in the wild, and according to other researchers speaking to Vice, prospective attackers would need to chain this vulnerability with a separate exploit to execute it, the researchers’ work presents a new threat model to be aware of.

Businesses that have equipped their workforce with iPhones running iOS 15 or later should consider turning off the Find My network as a device policy before issuing to employees.

The researchers did stipulate that the Find My network feature did, overall, improve the security of the iPhone, despite the new threat model its new functionality presents.

IT Pro contacted Apple for a response but it did not reply at the time of publication and declined to comment on the story to other media outlets.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download