Researchers have discovered a first-of-its-kind attack exploiting the iOS Find My function to tamper with the firmware. The attack may load malware onto a Bluetooth chip even if the iPhone is turned off.
Prerequisites for the attack
To carry out this attack, the attacker must communicate to the firmware via the OS, modify the firmware image, or gain code execution on an LPM-enabled chip over the air by abusing flaws (e.g. BrakTooth).
The novel attack
The attack takes advantage of wireless chips related to Bluetooth, Near-Field Communication (NFC), and Ultra-Wideband (UWB). These chips continue to operate while iOS is shut down when entered into a power reserve Low Power Mode (LPM).
The UWB and Bluetooth chips are hardwired to the Secure Element (SE) in the NFC chip and store sensitive information that should be available in LPM.
The idea behind this attack is to change the LPM application thread to insert malware that could alert the malicious actor of a victim's Find My Bluetooth broadcasts and may allow them to keep remote tabs.
As LPM support is implemented in hardware, it cannot be removed by changing software components. Thus, these wireless chips continue to access confidential information even after the phone is turned off.
Loophole in LPM implementation
Researchers observed that the current LPM implementation is not fully transparent and failures have been noticed when initializing Find My advertisements during power off.
Additionally, the researchers claim that the Bluetooth firmware is not signed and encrypted.
Due to this, an attacker with privileged access may create malware that is capable of being executed on an iPhone Bluetooth chip even when it's shut down.
About The LPM features
LPM features were first added in iOS 15 last year to track lost devices with the Find My network even if the iPhone runs out of battery or shuts down. Moreover, at present, UWB support includes iPhone 11, 12, and 13, which makes these devices vulnerable to attack.
Conclusion
Researchers suggest that Apple should add a hardware-based switch to disconnect the battery to stop any sort of surveillance concerns that could be launched by firmware-level attacks. Further, the tech giant should find an adequate solution to fix such flaws in its devices.