Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones (2205.06114v1)

Abstract: When an iPhone is turned off, most wireless chips stay on. For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network. If the battery runs low, the iPhone shuts down automatically and enters a power reserve mode. Yet, users can still access credit cards, student passes, and other items in their Wallet. We analyze how Apple implements these standalone wireless features, working while iOS is not running, and determine their security boundaries. On recent iPhones, Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) keep running after power off, and all three wireless chips have direct access to the secure element. As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.

• The paper demonstrates that iPhone Low-Power Mode leaves Bluetooth, NFC, and UWB chips active post-shutdown, creating new security risks.
• It reveals that firmware, particularly for Bluetooth, lacks secure boot, allowing unauthorized firmware modifications and potential malware persistence.
• The study introduces analytical tools for Bluetooth firmware and advocates for hardware-based shutdown mechanisms to enhance device security.

Overview of the Paper: "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones"

The paper "Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones" provides a detailed security analysis of Apple's implementation of Low-Power Mode (LPM) features on iPhones. The authors of the paper present an examination of how wireless chips such as Bluetooth, NFC, and UWB in iPhones may continue to operate even after the device is turned off, thereby introducing potential security vulnerabilities.

Key Findings and Contributions

1. LPM Functionality and Implementation:
   • The paper explains that even when an iPhone is turned off, specific components like Bluetooth, NFC, and UWB chips remain functional to support features such as Find My network and Express Card services. This functionality is hardware-dependent and persists across power cycles, aiming to ensure convenience and security for users in aspects like locating a lost phone or making contactless transactions without unlocking the phone.
2. Security Analysis of LPM Features:
   • The paper performs a thorough security analysis, highlighting that while LPM features are beneficial for safety and convenience, they also introduce new threat vectors. Notably, the authors demonstrate that LPM support on Bluetooth can be leveraged to maintain functionality post-shutdown, creating potential for tracking devices even when ostensibly turned off.
3. Firmware Vulnerability:
   • A major focus of the paper is the vulnerabilities related to the firmware of these chips. The authors reveal that the firmware for the Bluetooth chip lacks robust security mechanisms such as secure boot, meaning that the firmware can be modified without authorization. This makes the chip susceptible to the injection of malicious software that could, theoretically, remain active while the phone is powered off.
4. Inter-Chip Communications:
   • Another significant contribution is the analysis of inter-chip communications, notably between the Bluetooth and UWB chips directly interfacing with the Secure Element (SE). The paper warns that this increases the exposure to potential exploits, as the Secure Element is directly connected to these chips and could inadvertently allow unauthorized data access.
5. Tool Development:
   • The authors also contribute to the community by developing and publishing tools to analyze and modify Bluetooth firmware on iPhones. These tools are critical for further research into wireless security on Apple devices and provide a foundation for continued examination of related firmware vulnerabilities.

Implications and Future Directions

The implications of this research span both theoretical and practical domains. From a theoretical perspective, the findings contribute to our understanding of the complexities and potentials pitfalls in securing power-savings features on modern smartphones. Practically, the paper underscores the need for hardware and firmware security enhancements to safeguard against unauthorized LPM activity.

The authors suggest the inclusion of a hardware-based switch to physically disconnect the battery, aiming to provide users with an option to guarantee that their devices’ wireless components remain shut off. This recommendation points toward future developments in smartphone design that emphasize user control over device states.

Given the widespread use of iPhones globally, the revelations regarding firmware vulnerabilities carry significant implications. There is a call for Apple and other manufacturers to address these vulnerabilities through firmware signing mechanisms and the implementation of secure boot procedures for wireless chips. Moreover, as more functionalities are integrated into mobile devices, ensuring that the security of low-power features evolves alongside remains a critical challenge.

The paper provides a stark reminder of the ever-present threats within modern wireless environments and sets the stage for ongoing research into secure wireless systems. Such research is crucial to anticipate and mitigate unforeseen security challenges that may arise as devices become increasingly interconnected and functionally complex.