A team of German researchers have discovered a new threat model affecting Apple iPhones that allows malware to be installed on a device even when it’s switched off.
Researchers were able to show that malware could be installed on an iPhone’s Bluetooth chip - one of the few components that both remain active after the device is shut down, and also has access to an iPhone’s secure element.
The discovery is reliant on an iPhone user running iOS 15 or later since this was the release that added the functionality to find the device even after it had been shut down.
Most wireless chips remain activated on an iPhone for users who have enabled the ‘Find My network’ setting in Apple’s Find My app, even if it has been manually powered down.
These wireless chips: Bluetooth, NFC, and ultra-wideband (UWB) are all hardwired to the phone’s secure element - the area in which secrets are stored - and can therefore no longer be trusted components of the device, the researchers said, given that they are accessible after a shutdown.
The researchers were able to write to the Bluetooth chip in an iPhone 13 by exploiting a legacy feature that requires iOS to be able to write to the executable RAM regions using a vendor-specific host-controller interface (HCI) command.
RELATED RESOURCE
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
FREE DOWNLOAD
Attackers could theoretically modify the custom functionality of the Bluetooth chip during a low power mode, via malware, to send the device’s location to the attacker, or add new functionality entirely, the researchers said in a paper.
Although the attack is not currently exploited in the wild, and according to other researchers speaking to Vice, prospective attackers would need to chain this vulnerability with a separate exploit to execute it, the researchers’ work presents a new threat model to be aware of.
Businesses that have equipped their workforce with iPhones running iOS 15 or later should consider turning off the Find My network as a device policy before issuing to employees.
The researchers did stipulate that the Find My network feature did, overall, improve the security of the iPhone, despite the new threat model its new functionality presents.
IT Pro contacted Apple for a response but it did not reply at the time of publication and declined to comment on the story to other media outlets.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
