Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones

Good news, everyone! The low power bluetooth processors and such in iPhones aren’t secure, and can be used for evil, while being legitimately low power.

When an iPhone is turned off, most wireless chips stay on. For
instance, upon user-initiated shutdown, the iPhone remains locat-
able via the Find My network. If the battery runs low, the iPhone
shuts down automatically and enters a power reserve mode. Yet,
users can still access credit cards, student passes, and other items in
their Wallet. We analyze how Apple implements these standalone
wireless features, working while iOS is not running, and determine
their security boundaries. On recent iPhones, Bluetooth, Near Field
Communication (NFC ), and Ultra-wideband ( UWB) keep running
after power off, and all three wireless chips have direct access to the
secure element. As a practical example what this means to security,
we demonstrate the possibility to load malware onto a Bluetooth
chip that is executed while the iPhone is off.

This is wonderful.

Have you tried turning it off and then putting a .45 through it repeatedly?

I really, really don’t like devices I can’t cut power to. Had a laptop that wouldn’t work with a dead battery - no way to cut power but to disassemble it.

Perks of my Flip IV…

What’s more interesting is that the various “powered down Find My” functions don’t really work as advertised - they’ll only broadcast for 24h and then be done.

Unless you’re the target of quite high level malware, it doesn’t sound too easy to use, but being able to reprogram a low power chip with your own firmware, and have it do your own things, is… concerning. At least the mic inputs don’t seem to go into that chip - from schematics, apparently the mic goes into the “always on processor,” which isn’t powered on in the super low power modes, so there’s no way to make a Bluetooth Bug out of it.

But, yes, I like being able to casually flip the battery out of my phone.