A new report has revealed that iPhones are vulnerable to malware attacks even when they’re turned off.
Wired reports that according to a recent study from researchers at Germany’s Technical University of Darmstadt, iPhone devices are still vulnerable to malware attacks even when powered off. When turning an iPhone off, chips inside the device still run in a low-power state making it possible to locate the lost or stolen device using the Find My app.
Now, researchers have developed a method to run malware on iPhones even when the devices appear to be powered off. The Bluetooth chip in all iPhones has no way to digitally sign or encrypt the firmware it runs, researchers have now developed a method to exploit the lack of security on the chip and run malicious firmware allowing the researchers to track the iPhone’s location or run new features.
In a recently published paper, the researchers studied the risk posed by chips running in a low-power mode that allows chips responsible for NFC, ultra-wideband, and Bluetooth to run in a more that can remain active for 24 hours after a device is turned off.
Researchers stated: “The current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”
The researchers added: “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”
Read more at Wired here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address firstname.lastname@example.org