Your snoozing iOS 15 iPhone may actually be sleeping with one antenna open

No, you're not really gonna be hacked. But you may be surprised


Some research into the potentially exploitable low-power state of iPhones has sparked headlines this week.

While pretty much no one is going to utilize the study's findings to attack Apple users in any meaningful way, and only the most high-profile targets may find themselves troubled by all this, it at least provides some insight into what exactly your iOS handheld is up to when it's seemingly off or asleep. Or none of this is news to you. We'll see.

According to the research, an Apple iPhone that goes asleep into low-power mode or is turned off isn't necessarily protected against surveillance. That's because some parts of it are still operating at low power.

Under iOS 15, some chips inside an iPhone in either of those two power states remain active so that the owner can always wirelessly locate their lost cellphones via the Find My iPhone functionality, open their nearby locked cars, or make payments. Low-power Bluetooth, near-field communications (NFC) and ultra-wideband (UWB) connectivity are kept alive in the phone to make this possible.

There is firmware in the device that runs when the phone is in low-power mode (LPM) to handle this wireless functionality; it is this firmware, tied to a Bluetooth controller chip, that can be altered to contain malware that essentially runs all the time, whether the iPhone is awake or asleep or off, presumably until the battery is completely dead. This malware could be designed to track and report the user's movements, snoop on them, and so on.

These findings were put together by a team at the Secure Mobile Networking Lab (SeeMoo) of the Technical University of Darmstadt, Germany.

"The current LPM implementation on Apple iPhones is opaque and adds new threats," they wrote in their 11-page paper, adding that because this is by design happening at the hardware level, "it has a long-lasting effect on the overall iOS security model. Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications."

Don't panic

There are some significant caveats to this. The biggest one is that in order to infect the LPM firmware, so that malicious code can continue running even when the phone is seemingly asleep or off, the device needs to be completely compromised. Whoever has this necessary level of control over your phone can already snoop on your messages, steal your data, change your apps, and so on. Modifying the firmware is the cherry on the cake for whoever has infiltrated your device; it's an unnecessary step against the vast majority of victims, and only necessary for some truly high-level targets.

That said, it appears that once you have this privileged access, there are no protections in the device to stop you changing the LPM firmware.

"On modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown," the SeeMoo academics wrote. "This poses a new threat model."

It takes a switch

The researchers said they responsibly disclosed these findings to Apple engineers before the paper was publicly distributed. However, the team said they received no feedback from Apple. The academics recommend Apple add a hardware-based switch to disconnect the battery to improve security and protect valuable surveillance targets such as scientists, activists, politicians, and journalists.

Some countries secretly installed NSO Group's controversial Pegasus spyware on smartphones to covertly and remotely track people, including reporters, campaigners, and other citizens. It's perhaps this level of snoopware that would take advantage of the lack of protections around LPM firmware.

Jaye Tillison, director of security strategy at Axis Security, told The Register SeeMoo's research is important though the threat right now is muted: it's non-trivial to fully exploit.

That said, "if threat actors begin targeting iOS devices with new malware this could have a huge impact on businesses, and their attack surface – which has now expanded to every user device and across all working locations – both in and out of the office," Tillison said.

"We typically see a significant percentage of end-users connecting through an iOS device. If you think about the 300 million users just within the Fortune 2000 accounts alone, with 2.5 end user devices per user, that number can be huge."

It's also a warning as businesses continue to use more of these technologies: "Security must become embedded into the fabric of IoT [Internet of Things]," he said. "For far too long, we've coasted and coasted along. We've ignored security due to cost. This is not a good road to keep traveling down."

Enterprises need to adopt technologies that don't allow infected devices to connect to the corporate network, and equipment that inspects traffic – even private traffic – to keep sensitive data from flowing down to compromised devices, and to realize that employees need to be educated to protect themselves, he said. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022