Malware Can Be Loaded Even Onto Phones That Are Turned Off, Researchers Show

With the latest iOS, it’s possible to locate your iPhone even if it’s powered off. That’s because even when the iPhone is turned off, certain wireless chips remain on, allowing the phone to still send signals that can help locate it. 

Now, a group of researchers from the Technical University of Darmstadt in Germany has found that one of those chips, the one that enables Bluetooth, can be exploited and hacked to install malware on the phone—even when it’s turned off. 

The researchers said in their research paper, posted last week to the arXiv preprint server, that they were able to show that it’s possible install malware on the Bluetooth chip. It’s important to note, though, that this research is at this point mostly theoretical and there’s no evidence that this kind of attack has been used in the wild. Also, as the researchers point out in the paper, hackers would need to first hack and jailbreak the iPhone to be able to access the Bluetooth chip and exploit it, potentially making it a bit redundant in most cases.

Still, even for hackers who have already taken control of the phone, hacking the Bluetooth chip would give them access to another place to collect data, an especially useful one because it’s available even when the phone is powered off. 

“[Low-Power Mode] is a relevant attack surface that has to be considered by high-value targets such as journalists, or that can be weaponized to build wireless malware operating on shutdown iPhones,” the paper read. 

The researchers explain in the paper that the Bluetooth chip, as well as other wireless chips—those that run Near Field Communication or NFC, which is used for Apple Pay, for example,  and Ultra-wideband (UWB) which is used along with Bluetooth to turn the iPhone into a car key—keep running when the phone is off in what the researchers call Low-Power Mode, noting that it “is different from the energy saving mode indicated by a yellow battery icon.”

The researchers conclude that Apple’s implementation of this Low-Power Mode ultimately enhances the security of users because it allows them to find a lost or stolen phone even if it’s turned off. But because the wireless chips are still on, they also pose a new threat model. 

The researchers wrote in the paper that they disclosed the issues they found to Apple, and the company did not have any feedback.

Apple declined to comment. 

The researchers did not respond to a request for comment. 

Ryan Duff, a security researcher who has experience with iOS, told Motherboard that the attack described in the paper would be useful as an add-on to an existing malware implant “but it's not really a standalone attack without additional vulnerabilities and exploits.” That’s because the researchers did not show that it’s possible to hack the Bluetooth chip on its own and then jump from there and hack the phone. 

“It may be possible to exploit the Bluetooth chip directly and modify the firmware but the researchers did not do that and there isn't a known exploit that would currently allow that,” Duff, who is the director of cyber products at cybersecurity firm SIXGEN, told Motherboard in an online chat after reviewing the research paper. “The same applies from jumping from the Bluetooth to the phone. It would require an additional exploit.”

Still, the researchers’ findings show an attack that could have real-life applications. 

“It's something running after the phone is off, which could be useful,” Ryan added. “Network connectivity is not part of it though so whatever is collected would only be accessible to an attacker after power-on.”

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.