The wireless chips help iPhone users find their Apple devices if lost, provide other functional Near-field communication (NFC) abilities such as wireless payment, and allow users to interact with their car. However, cybercriminals could theoretically weaponize these design features to orchestrate financial and car theft, as well as hack journalists and other high-profile targets, a paper published by researchers from Germany’s Technical University of Darmstadt said.
Malware Can Be Loaded While Phone Is Off
The current “undocumented” iPhone LPM implementation in iOS 15 is hardware-based, and cannot be remedied with a software update, the researchers wrote. The NFC functionality, Ultra-wideband (UWB), and Bluetooth chips of newer iPhones continue to run after the device is powered off while still having “direct access to the secure element.” Based on that, the LPM mode can be exploited to conduct stealth attacks that do not drain the battery. Attackers with system-level access could quietly track users, modify firmware, disable “Find My” or use “Express Cards” and “Keys” for financial or physical asset theft, the paper states. Attackers could also employ “remote code execution.” The researchers created a Proof-of-Concept using a jailbroken iOS device to show that attackers could potentially build custom firmware and malware to compromise users in these ways. “[This] has a long-lasting effect on the overall iOS security model,” the researchers wrote. “Apple should add a hardware-based switch to disconnect the battery. This would improve the situation for privacy-concerned users and surveillance targets like journalists,” they added.
Which Services Keep Running in LPM Mode?
Apple’s iPhone LPM is not to be confused with its battery-saving mode. The LPM is active on a hardware level only when the device is switched off by a user, or if it automatically switches off due to a low battery. In LPM, the iPhone does not shut down its Bluetooth, near-field communications (NFC), and ultra-wideband chips (UWB). This is to facilitate emergency services such as “Find My iPhone” and “Express Mode.” The latter enables “selected student, travel, and credit cards, as well as digital keys” to be available quickly without additional user authentication. Essentially, it allows users to unlock their cars and make payments while the iPhone is on its power reserve. Furthermore, Apple’s iOS 15 update introduced an offline finding network based on Bluetooth Low Energy (BLE) as well as “Digital Car Key” (DCK) 3.0 support — both of which operate standalone when an iPhone is off.
Which iPhones Are Affected?
According to the study, iPhone 11 and later models are susceptible to the aforementioned security risks. Apple has outfitted these later models with DCK 3.0, UWB, LPM components, and a new “unsigned” Bluetooth firmware patch format. The New Secure Element (SE) and inter-chip interfaces are also present in the affected iPhone models.
Is There a Workaround?
According to the researchers, high-value targets like journalists can install a “transmission monitoring device” to detect “LPM malware.” The device can be mounted on the back of an iPhone 6. However, this would be more difficult to apply to modern iPhones, if at all. Putting an iPhone in a “Faraday bag” may prove successful if done right, researchers noted.
Apple Did Not Respond
The researchers said they disclosed the issues to Apple, who read the text before publication but did not respond with any feedback. The study is a contribution to the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks and is possibly the first study of its kind to scrutinize Apple’s LPM features in iOS 15.
Tips for iPhone Users
Whether you are a high-value target or otherwise, for optimal privacy and security, we generally recommended that you use a VPN and a powerful antivirus when connecting to the internet. It is also important to exercise caution when conducting financial transactions or connecting to a car with your smartphone. Since this vulnerability is a hardware issue, it remains to be seen how Apple will resolve it. There is a possibility that the company may recall the affected devices, as a software update may not be enough to plug the security loophole. Wireless technology is here to stay and make our lives easier. However, cutting-edge smartphone features always open the door to more vulnerabilities. Have a look at our detailed guide to Bluetooth safety for more information. You might also find our Apple AirTag security analysis informative.