Until now, most of us had assumed that the safest way to keep our devices from getting hacked was to switch them off. It can’t be hacked if your device isn’t powered on, right? A group of researchers has shown that they can still be hacked.
People have always assumed that Apple’s iPhones are some of the most secure devices and that they have the least number of vulnerabilities.
However, a group of researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone, even when the device is switched off.
According to a blog post by Kaspersky, one of the world’s leading antivirus and internet security service providers, the study conducted by the University of Darmstadt examined the operation of the wireless modules in an iPhone and found ways to analyze the Bluetooth firmware.
They introduced a malware program capable of running completely independent of iOS, the device’s operating system.
In 2021, Apple announced that the Find My Device service, which is used for locating a lost device, would work even if the device was switched off. This feature is available in all Apple smartphones starting with the iPhone 11.
Even though this functionality has been a lifesaver for several people over the years, there are some pretty brutal ways in which it can compromise safety.
Even when switched off, iPhones don’t turn off entirely but switch to Low Power Mode, in which only a minimal set of modules are kept alive.
These are primarily the Bluetooth and Ultra-Wideband (UWB) wireless modules, and NFC, provided the battery has sufficient power.
Even when the device is in this Low Power Mode, it sends information about itself.
The researchers in Germany carried out a detailed analysis of the Find My service in Low Power Mode and discovered some rather strange things.
After the device is powered off, most of the work is handled by the Bluetooth module, which gets reconfigured by a set of iOS commands. It then periodically sends data packets over the air, allowing other nearby devices to know its location.
The main discovery was that the firmware of the Bluetooth module is not encrypted and not protected. The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. The absence of Secure Boot allows attackers to go further and completely replace the manufacturer’s code with their own, which the Bluetooth module executes. The device does not need to be turned on even once in this entire process.