Up until now, most of us had assumed that the safest way to keep your devices from getting hacked was to simply switch them off. If your device isn’t powered on, it can’t be hacked, right? Well, a group of researchers have shown that they can still be hacked.
People have always assumed that Apple’s iPhones are some of the most secure devices and that they have the least number of vulnerabilities.
However, a group of researchers from the Secure Mobile Networking Lab at the University of Darmstadt, Germany, have published a paper describing a theoretical method for hacking an iPhone, even when the device is switched off.
According to a blog post by Kaspersky, one of the world’s leading antivirus and internet security service providers, the study conducted by the engineers at the University of Darmstadt examined the operation of the wireless modules in an iPhone and found ways to analyze the Bluetooth firmware.
They were able to consequently introduce a malware program that was capable of running completely independent of iOS, the device’s operating system.
In 2021, Apple announced that the Find My Device service, which is basically used for locating a lost device, would now work even if the device has been switched off. This feature is available in all Apple smartphones starting with the iPhone 11.
Even though this functionality has been a lifesaver for a number of people over the years, there are some pretty serious ways in which it can compromise safety.
Even when switched off, iPhones don’t turn off completely but switch to Low Power Mode, in which only a very limited set of modules are kept alive.
These are primarily the Bluetooth and Ultra WideBand (UWB) wireless modules, as well as NFC, provided there is sufficient power in the battery.
Basically, even when the device is in this Low Power Mode, it sends out information about itself.
The researchers in Germany carried out a detailed analysis of the Find My service in Low Power Mode and discovered some rather strange things.
After the device is powered off, most of the work is handled by the Bluetooth module, which gets reconfigured by a set of iOS commands. It then periodically sends data packets over the air, allowing other devices in its vicinity to know its location.
The main discovery was that the firmware of the Bluetooth module is not encrypted and not protected. The lack of encryption permits analysis of the firmware and a search for vulnerabilities, which can later be used in attacks. The absence of Secure Boot allows an attacker to go further and completely replace the manufacturer’s code with their own, which the Bluetooth module then executes. In this entire process, the device does not need to be turned on even once.