Researchers have found that malware can be executed on iPhones even while they are turned off.
The news comes from a security analysis of an iPhone feature introduced with iOS 15 — the Bluetooth chip, among others, remains on after a user has powered it down, due in part to Apple’s “Find My” location tracking function.
Here’s how it works, and what steps you can take to keep you and your iPhone (relatively) safe.
Why iPhones Are in Danger Even While Off
Not every part of your iPhone shuts down when you hit the power button: Wireless chips remain on. Certain services need to know your phone’s location even when it’s off, and Apple’s “Find My” feature is the reason why malware can be triggered on these devices at all times.
On recent iPhone models, three chips stay on — Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB).
“All three wireless chips have direct access to the secure element,” say researchers at the Secure Mobile Networking Lab (SEEMOO), in the Technical University of Darmstadt. The details are available in their research paper, memorably titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones.”
They demonstrate in their paper a practical example of what this all means: Malware can be loaded onto a Bluetooth chip within an iPhone and then executed, later, while the iPhone is off.
“As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model,” the paper states. “Previous work only considered that journalists are not safe against espionage when enabling airplane mode in case their smartphones were compromised.”
Part of the issue, according to this research, is that the Bluetooth firmware is neither signed nor encrypted, and the UWB chip firmware is signed but not encrypted.
What You Can Do About It
There’s a silver lining to this interesting but admittedly scary news: A bad actor would still need to load the malware onto an iPhone’s Bluetooth chip while it’s on, in order to execute it at a later date while the phone’s off. But since an iPhone user can’t be sure that hasn’t happened, they can’t fully trust their phone even when it’s off.
The researchers offered a potential fix, saying Apple could change the LPM application thread — but also mentioned that Apple didn’t have feedback when they brought up their concerns. The functionality would have to be changed on a hardware level rather than a systems update, so it seems unlikely that the issue will be addressed in the near future.
The truly safe approach is to leave your iPhone at home when taking a trip to sensitive locations like your business’s server room. Granted, that’s not an easy or practical fix for most occasions.
Another precaution could include a paid VPN service to boost security while your phone is on. We’ve rounded up the top VPN options for iPhones in the past. Ultimately, though, this research paper is another reminder that smartphones will always be location tracking devices in one way or another. If you want to stay truly safe, get a flip phone.