Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones

TL;DR

This paper investigates how certain wireless components on iPhones remain active after shutdown, enabling functionalities like location tracking and payments, and explores security implications including malware risks.

Contribution

It reveals the implementation details of wireless chips that stay active post-shutdown and demonstrates potential security vulnerabilities such as malware loading.

Findings

Bluetooth, NFC, and UWB stay active after shutdown

Wireless chips have direct access to the secure element

Malware can be loaded onto Bluetooth chips when iPhone is off

Abstract

When an iPhone is turned off, most wireless chips stay on. For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network. If the battery runs low, the iPhone shuts down automatically and enters a power reserve mode. Yet, users can still access credit cards, student passes, and other items in their Wallet. We analyze how Apple implements these standalone wireless features, working while iOS is not running, and determine their security boundaries. On recent iPhones, Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) keep running after power off, and all three wireless chips have direct access to the secure element. As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.