Just because your iPhone is powered off doesn’t mean it can’t be attacked

David Strom 19 May 2022

The better we understand how adversaries can eavesdrop on our phones, the more confidence we can have in our privacy. 

Did you know that even when your iPhone is turned off, some of its components are still getting power? Researchers have found this to be one of the reasons why a new attack vector can operate without your knowledge. The issue lies with the iPhone’s Low Power Mode (LPM) and the fact that while using this functionality, certain communications chips continue to operate. Apple's LPM features were introduced as part of iOS 15 and enable things such as Find My Phone, which can continue to track and function when a phone is turned off.

One person’s feature is another person’s exploit

This was what researchers from the German Secure Mobile Networking Lab at the Technical University of Darmstadt found. They published a paper titled “Evil Never Sleeps” in which they explain that the Bluetooth firmware implementation that enables adversaries to create malware that can be run under certain conditions. While the exploit is complex and requires a number of steps, the researchers show that it is, in fact, quite possible to carry out. 

In their paper, the researchers state, "The current LPM implementation on Apple iPhones is opaque and adds new threats. Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation."

They recommend that Apple include an actual hardware power on/off switch (completely disconnecting the battery) to their iPhones for those concerned about the issue. Apple hasn’t yet responded.

The LPM exploit is reminiscent of two other situations where sneaky stuff can infect your devices. First is the NSO’s Pegasus project, which uses malware that doesn’t require any user action to infect a target’s phone. One of its vectors is by exploiting a vulnerability in Apple’s iMessage app, for example. This is the remote access spyware that has been used in a variety of sensitive political circumstances, such as targeting presidents of several countries as well as journalists. 

Air gaps posing a risk

A second place is by exploiting air gaps. This is the false sense of security we might have when we think our devices are disconnected from any internet or Wi-Fi connection. We previously wrote about the research carried out by Ben Gurion University's cyber lab in Israel, which showed that all sorts of things that can be used to move data from your phone or computer, including LED disk access lights and GPU processors.

Since posting that piece, the group has identified a new attack method called LANTENNA. In this attack, a piece of malware is installed on a target computer which encodes radio frequency signals that are then transmitted through Ethernet cables to avoid air-gapped computers. A specially tuned radio can capture these signals from across a room and then deliver the information to an attacker. The researchers used two different techniques, adjusting the network transmission speeds and generating signals using UDP protocols to carry data. 

Given the unlikely scenario that this LPM exploit — or Pegasus or air gap compromises— can happen, should we be worried? Yes, but not for paranoid reasons. The better we understand how adversaries can eavesdrop on our phones, the more confidence we can have in our privacy and help protect our communications. 

--> -->