A first security analysis of the Find My function on iOS has identified a new attack surface that makes it possible to tamper with firmware and upload malware to a Bluetooth chip that is executed while the iPhone is running.” Turn off”.
This mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near Field Communication (NFC) and Ultra Wideband (UWB) continue to function while iOS is disabled when entering Low Power Mode.” power reserve” (LPM).
While this is done to enable features like Find My and support for Express Card transactions, all three wireless chips have direct access to the secure element, academics from The Lab Secure Mobile Networks (SEEMOO) at the Technical University of Darmstadt said in a newspaper titled “Evil never sleeps.”
“Bluetooth and UWB chips are connected to the Security Element (SE) in the NFC chip, which stores the secrets required in the LPM,” the researchers said.
“Since LPM support is implemented in hardware, it cannot be removed by changing software components. Therefore, on modern iPhones, the wireless chip is no longer reliable to turn off after shutdown. This poses a new threat model.”
The findings will be presented at the ACM Conference on Security and Privacy in Mobile and Wireless Networks (WiSec 2022) this week.
LPM features, introduced last year with iOS 15, make it possible to track lost devices using the Find My network even when the battery is dead or turned off. Current devices with Ultra Wideband support include iPhone 11, iPhone 12, and iPhone 13.
A message is displayed when iPhone is turned off that says, “iPhone can still be found after powering off. Find My helps you locate this iPhone when it’s lost or stolen, even when it’s in standby mode. power reserve or when the power is turned off.”
Calling the current implementation of LPM “unclear”, the researchers not only occasionally observed errors when launching Find My ads while powered off, contrary to the aforementioned announcement, they also discovered shows that the Bluetooth firmware is not signed or encrypted.
By taking advantage of this vulnerability, an adversary with privileged access could create executable malware on an iPhone’s Bluetooth chip even when it’s powered off.
However, for such a firmware compromise to occur, an attacker must be able to communicate with the firmware through the operating system, modify the firmware image, or execute code on an LPM-enabled chip over the network using how to exploit vulnerabilities like BrakTooth.
In other words, the idea is to change the LPM application chain to embed malicious software, such as those that can warn the malicious agent about the victim’s Find My Bluetooth broadcasts, allowing the attacker to Threat personnel keep remote tabs on the target.
“Instead of changing the existing functionality, they can also add completely new features,” the SEEMOO researchers pointed out, adding that they have disclosed all the problems with Apple in a way responsibility, but the tech giant “did not respond”.
With LPM-related features taking a more stealthy approach to implementing intended use cases, SEEMOO has called on Apple to include a hardware-based switch to disconnect the battery in order to reduce any What monitoring concerns can arise from firmware-level attacks.
Because LPM support is based on the iPhone’s hardware, it cannot be removed with system updates, the researchers said. “Therefore, it has a lasting effect on the overall iOS security model.”
“The design of LPM features seems to rely heavily on functionality without taking into account threats outside of the intended applications. Find My After Power Off will turn off iPhone into a tracking device. Design and implementation in the Bluetooth firmware are not guaranteed against manipulation.”
