iOS ‘Find My’ allows hackers to run malware on switched off devices

May 19, 2022
iOS Find My Hackers Malware Mobile Devices Apple Bluetooth

Apple’s ‘Find My’ feature was found with a critical flaw that allows hackers to tamper with the firmware and inject malware through a Bluetooth chip capable of being launched even if an iPhone device is turned off.

The new malicious intent of hackers abused the capability of wireless chips linked with Bluetooth, NFC, and ultra-wideband (UWB) to operate, even if an iOS device is shut down upon entering its low power mode (LPM) to preserve battery consumption.

This component is added on iOS to allow other features like the ‘Find My’ to be facilitated even if a device is off. Moreover, it is also vital for the three wireless chips’ access to the Secure Element (SE), a tamper-resistant platform.

Experts explained that the Bluetooth and UWB wireless chips are hardwired to the NFC chip’s SE that collects sensitive data available while in low power mode. LPM is fixed support in iOS hardware, thus unremovable even by modifying software components.

 

Consequently, modern iPhones with the ‘Find My’ feature are deemed unreliable for safety and security and have posed a new threat model among users.

 

The LPM features are mainly intended for users who have lost their iPhones to use the ‘Find My’ feature even if the device had been shut down due to low power or forced switched off by a person. The latest models of iPhones with UWB support are the iPhones 11 to 13.

These new iPhone models will display a message upon being shut down, informing users that the device will remain findable to help the user locate it if it has been stolen, lost due to other reasons, or in a low power mode. After some analysis, cybersecurity experts described the LPM implementation as ‘opaque’ due to occasional initialising failures during power off. The experts also added that the Bluetooth firmware of iPhones is not signed or encrypted, thus contradicting the prompt message.

Hackers who have privileged access have abused this situation to launch malware that can be executed on an iPhone Bluetooth chip despite being turned off. The firmware compromise requires the threat actors to tamper with the LPM application threat to inject malware.

Cybersecurity experts have reached out to Apple but have failed to get a response.

About the author

Leave a Reply