EXECUTIVE SUMMARY:
Researchers discovered a means of exploiting the software that supports Apple’s Find My feature, potentially enabling attackers to track a person’s location, even if a device is powered down.
iPhone ‘Find My’ feature
The iPhone Find My feature allows people to locate lost or stolen devices, or to use credit cards and car keys after the phone’s battery dies. Researchers from the Technical University of Darmstadt Germany have uncovered a means of abusing this ‘always-on’ mechanism to run malware.
How it works
The iPhone’s Bluetooth chip, a critical component of the Find My feature, lacks a mechanism for digitally signing or encrypting the firmware that it operates. Security professionals have determined how to exploit this lack of hardening to run malicious firmware. The firmware allows hackers to track a phone’s location or to use certain features despite the fact that a phone may be ‘off’.
Risk posed by chips in low-power mode
Few researchers have closely explored the risk posed by chips running in low-power mode. Although easily confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) referred to in this research allows chips responsible for near-field communication, ultra wideband and Bluetooth to operate in a special mode that persists for as long as 24 hours after device power-downs.
Researchers’ perspectives
According to the researchers, the current low-power mode implementation on Apple’s iPhone is opaque and “adds new threats.” Because LPM support relies on the iPhone’s hardware, issues cannot see removal via system updates. As a result, the recently discovered concern may have a long-lasting effect on the overall iOS security model.
“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design and the implementation within the Bluetooth firmware is not secured against manipulation.”
Real-world implications
Infection through this modality requires jailbreaking an iPhone; a difficult task. Nonetheless, adversarial pursuit of the ‘always-on’ feature in iOS could lead to new post-exploit scenarios if hackers use Pegasus-type malware. The potential for over-the-air exploits of chips also concerns researchers.
Further, exploits targeting LPM might operate in greater stealth than more traditional exploit attempts, as LPM allows firmware to conserve battery power. Firmware infections are particularly challenging to detect as detection requires extensive expertise and expensive tools.
However unlikely, the risk is real. Compromise of phones in this way can provide hackers with access to a person’s credit card data, banking details or even the digital car keys.
In summary
Find My and other LPM-enabled features provide added layers of personal security, as they permit individuals to find lost or stolen devices, and to lock or unlock car doors in spite of battery depletion. They’re convenient and generally well-liked features. However, the emerging research reveals a more sinister side to their existence.
In terms of a potential solution, Apple could theoretically add a hardware-based switch to disconnect the battery, preventing wireless elements from retaining access to power while an iPhone is powered down, according to security professionals.
In turn, this could improve the situation for individuals concerned about privacy and for those targeted by surveillance tech, including journalists, politicians, and diplomats.
For more information about phone security, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.