Researchers Devise iPhone Malware That Runs Even When Device Is Turned Off (arstechnica.com) 54
An anonymous reader quotes a report from Ars Technica: When you turn off an iPhone, it doesn't fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down. It turns out that the iPhone's Bluetooth chip -- which is key to making features like Find My work -- has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany's Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone's location or run new features when the device is turned off. This video provides a high overview of some of the ways an attack can work.
The findings (PDF) have limited real-world value since infections required a jailbroken iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries. Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And of course, firmware infections are already extremely difficult to detect since it requires significant expertise and expensive equipment.
The findings (PDF) have limited real-world value since infections required a jailbroken iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries. Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And of course, firmware infections are already extremely difficult to detect since it requires significant expertise and expensive equipment.
As I've always said (Score:5, Interesting)
Just make certain you turn it off. Darn thing is always teying to connect with a cell tower so you can be located. If it's in a metal container while turned on, it'll wear the battery out pronto.
nice to have an battery you can remove! (Score:5, Insightful)
nice to have an battery you can remove!
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
Wow, I was about to write a scolding reply about people not knowing the difference between off and standby, and that there's no way a phone can do anything like "Find My", car keys etcetera if you've actually turned it off with the slider.
Then, before posting the reply, I decided to actually read the article and watch the video. WTF?! They actually did turn it off with the red slider, and the phone continued to communicate with their laptop?! What part of "off" does Apple fail to understand? Even friggin bl
Re: (Score:2)
Re: (Score:1)
Yes, you can disable "Find My" but then it's off completely. Just like with so many things Apple, you either do it their way or not at all.
Credit cards too, turn it off but then you can't use your credit cards anymore at all. That's one feature I would prefer to disable when the phone is off, but still use when the phone is on.
And anyway, even if I go through all of those settings and turn them all off (and check them again after every system update), I'm sure the chip will still be powered and the exploit
Re: (Score:2)
You didn't read the article, did you?
Explain. Does the article need read before a Faraday cage works?
My post is applicable to modern and old phones. Where I worked before this if you had a phone, you put it in a little RF Faraday cage.
Which ever you had, iPhone, Android, Nokia. If you didn't want to do that, you did not enter the premises. Maybe some people know things.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There's nothing in this article that proves, or even implies, that phones try and connect to cell towers when turned off; of course it is always trying to connect to a cell tower if you have it on, that's exactly what you buy a phone to do. This article is about devices still sending bluetooth messages, which when picked up by turned on devices are sent back to Google, and the fact that the BT chip can be compromised.
Sigh, What I wrote about a person never trusting their smartphone unless it is turned off and in a little Faraday cage is in adjunct to the Bluetooth chip. Anyhow, trust away if you like. There is more to smartphones than Bluetooth.
Re: (Score:2)
There's nothing in this article that proves, or even implies, that phones try and connect to cell towers when turned off; of course it is always trying to connect to a cell tower if you have it on, that's exactly what you buy a phone to do. This article is about devices still sending bluetooth messages, which when picked up by turned on devices are sent back to Google, and the fact that the BT chip can be compromised.
Now sit down and take some telling. I don't care if it's an article about a UgaBuga velocity device that regulates the phlogiston level of the 5G tachyon transfer port. Bluetooth is but one of the ways that a phone can be messed with and compromised.
Believe or do not. Don't demand to be the topic czar
Demanding that all conversations in a story about phone security must be restricted to Bluetooth and only Bluetooth in an article that is about security of your phone is a tad Obsessive Compulsive.
Re: (Score:3)
The Bluetooth chip doesn't connect to cell towers, it sends out periodic signals that other devices can use to locate the phone, as part of the "Find My" network.
While the researchers note that the utility of replacing the Bluetooth firmware is currently limited, all it needs is for someone to find a suitable exploit to make it useful. The nightmare scenario would be that the firmware can be exploited remotely, and then the hacked firmware can exploit a flaw in iOS to gain a foothold there.
Re: (Score:2)
You can't replace the firmware unless you have jailbroken the phone. If you do that, you should be aware that you are opening up the risk of a number of vulnerabilities. Disabling security features on any device increases that device's vulnerability.
Re: (Score:2)
What I mean is that if the firmware is writable (i.e. not a ROM that can never be changed), it's possible that there might be a flaw in the Bluetooth stack that allows the firmware to be changed without needing to root the phone. Someone within Bluetooth range could do it.
There are examples of that happening before. Some wireless devices with microcontroller cores that can execute code from RAM can be induced to run arbitrary code. I wish more ARM microcontrollers would have a function to disable code execu
Re: (Score:1)
Yep, jailbraking an iPhone basically turns it into an Android phone. Not what you want if you care about security.
Re: (Score:2)
The Bluetooth chip doesn't connect to cell towers, it sends out periodic signals that other devices can use to locate the phone, as part of the "Find My" network.
While the researchers note that the utility of replacing the Bluetooth firmware is currently limited, all it needs is for someone to find a suitable exploit to make it useful. The nightmare scenario would be that the firmware can be exploited remotely, and then the hacked firmware can exploit a flaw in iOS to gain a foothold there.
I'm not talking about only the BT chip. I'm talking about the entire phone. I'm talking about how if a person is concerned about there phone being exploited, in any means it needs to be turned off, and in a metal case. That takes care of the Bluetooth chip and any other exploitable aspect.
Re: (Score:2)
The Bluetooth chip doesn't connect to cell towers, it sends out periodic signals that other devices can use to locate the phone, as part of the "Find My" network.
While the researchers note that the utility of replacing the Bluetooth firmware is currently limited, all it needs is for someone to find a suitable exploit to make it useful. The nightmare scenario would be that the firmware can be exploited remotely, and then the hacked firmware can exploit a flaw in iOS to gain a foothold there.
True. Bluetooth is not cellular. My point isn't about exact methodologies, or technologies. My point is that if you have a smartphone, it is by nature a non-secure device, through many aspects besides Bluetooth. Believe or do not believe. That general phone security is somehow offtopic in a storyline about phone security shows exactly how so many of y'all get pwned.
Even so - would people be trying to support the idea that Bluetooth signals are immune to Faraday cages?
Re: (Score:2)
"Just make certain you turn it off."
That's the problem. You literally cannot turn the iPhone off. You *think* you've turned it off, but there's still stuff running on it. And there's no removable battery you can pull. The metal box should work, although that's a little inconvenient.
As I've always said (Score:2)
Jailbreak... (Score:3)
...accept the risks. No problem. This bubbles down the list of things I'm concerned about and falls right out the bottom. Of course I'm unlikely to be targeted with Pegasus.
Were I important enough to be monitored by clandestine Israeli groups I'd probably not use an iPhone. Or an Android one. I'd be all the way down to a flip phone with the battery yanked between uses.
Re: (Score:2)
Re: (Score:3)
As long as we're dabbling in hypotheticals, why stop there?
Actually, you stop somewhere so you don't end up in a cabin in the woods typing a manifesto.
Re: (Score:2)
The clandestine Israeli group doesn't monitor people. It sells software for others to monitor people. Big difference.
It's called iOS (Score:2)
It's called iOS. It never truly powers down.
Re: (Score:2)
It's called iOS. It never truly powers down.
And Android phones do?
Re: (Score:2)
what, like some kind of smoothbrain that puts faith in the computational functions of a logo made of plastic?
pull the brick yourself or go sit with the septembers, it's the 21st century you're a third party cuckold paying for a corpo to do whatever it wants with "your" product, hardware or not
Man, communication is only possible when you use words in their usual, generally agreed-upon usage.
Re: (Score:1)
Re: (Score:2)
Yes. I even have one with a removable battery. Duh.
Re: (Score:2)
Yes. I even have one with a removable battery. Duh.
Good for you.
You and 5 other Android owners have phones that can be truly de-powered.
Remember when off meant off? (Score:2)
Pepperidge Farms remembers. Now excuse me, I'm texting this while driving and when I get to the off ramp part of me will still be on the highway.
Re: (Score:1)
Pepperidge Farms remembers. Now excuse me, I'm texting this while driving and when I get to the off ramp part of me will still be on the highway.
And I bet you also "lane dive" from the far left lane to the exit on the far right side of the road all while texting?
Oh my...how creative you are.
/sarcasm
Re: (Score:2)
In your sig, are you using "intensive" ironically or do you genuinely think it is correct?
https://www.google.com/search?... [google.com]
Re: (Score:2)
In your sig, are you using "intensive" ironically or do you genuinely think it is correct?
If that's the only thing you think is wrong in his sig, you need to learn bit more.
"begs the question"
Excuse me while I look for a more unique concensus of opinion.
meh (Score:2)
this feels like a feature not a bug.
Huh! "after the battery dies" (Score:2)
No problem, just remove the battery. (Score:4, Insightful)
Comment removed (Score:4, Insightful)
Re: (Score:2)
You can actually detect a button press without power. There are wireless light switches that do it. They harvest energy from the switch mechanism, just enough to send out an RF signal to the lighting controller.
I think the power button on a phone might be too small, or rather not have enough travel, but in theory it could be enough to engage a FET on the battery supply, that is then held on by the power management IC.
Re: (Score:2)
The magic device you are looking for is a thyristor: https://en.wikipedia.org/wiki/... [wikipedia.org]
We Don't Need No Switches or Removable Batteries (Score:2)
won't bother with the story ... (Score:2)
... but the implication is that nowadays devices are never off. which doesn't really surprise me, make of it what you will.
Theoretical exploit. WTF? (Score:2)
Geez, I can come up with theoretical exploits all day. WTF?
Re: (Score:2)
Different than CMOS battery? (Score:3)
Is this all that much different than the fact that computers have separate onboard CMOS batteries to keep certain components alive even when unplugged/off? I can't speak to its "hackability", but its been a long time since "off" meant truly "off".
Also, who actually turns off their phone, except to restart it asap after an update or something? I'm not sure I know anyone that regularly turns off their phone. I suppose if you truly don't want to be tracked by a nefarious government you might want to turn it completely off. In that case you'd want to not jailbreak the iPhone, which is actually a requirement for this malware to work.
Max Headroom? (Score:2)
Re: (Score:2)
Wasn't that a thing in the Max Headroom film & TV series that it was illegal to turn off your TV? Now that sounds mild compared to not being able to turn off the tracking device in your pocket.
It goes all the way back to Orwell's Nineteen Eighty-Four,
The instrument (the telescreen, it was called) could be dimmed, but there was no way of shutting it off completely.
Could even predate that, but it's probably the seminal example.
Re: (Score:2)