Techweb reported on May 17 that the chips in Apple's iPhone will continue to operate in low power consumption mode (LPM) when the device is turned off. Recently, some researchers have designed a kind of malware based on this mechanism, which can run when users turn off iPhone. Although the corresponding research is still theoretical, it exposes the security problems of Apple devices.
When the user turns off the iPhone, in fact, the device is not completely turned off, and the built-in chip will continue to operate in low-power mode, so that the user can use the "find" function to locate the lost or stolen device, or continue to use [Apple] after the battery runs out( https://apple.pvxt.net/c/1251234/435400/7639?u=https%3A%2F%2Fwww.apple.com%2Fcn%2Fmusic%2F ) Wallet and car keys. Now, researchers use this "always on" mechanism to run malware and keep it running when the iPhone is turned off.
IPhone uses the built-in Bluetooth chip to continue to realize "search" and other functions when it is turned off. But facts have proved that this chip has no digital signature mechanism and will not even encrypt the running firmware. Scholars at the Technical University of Darmstadt in Germany have designed a method to run malicious firmware by using this lack of encryption mechanism, so that attackers can track the location of the mobile phone or run malicious functions when the mobile phone is turned off.
This study is the first time that researchers have studied the security risks of chips running in low-power mode. The low-power mode referred to in the study is not the low-power mode in IOS system, but refers to that the chips responsible for near-field communication, UWB and Bluetooth in Apple devices will maintain low-power operation after the device is turned off and can last for 24 hours.
"At present, the operating mechanism of LPM mode on Apple iPhone is not transparent and adds new security risks," the researchers wrote in a paper published last week "Since LPM mode is based on iPhone hardware, it cannot be removed through system update, so it has a long-term impact on the whole IOS security mechanism. To our knowledge, this is the first study to introduce unrecorded LPM features into IOS 15 and find various problems."
The researchers added: "the design of LPM mechanism seems to be mainly from the perspective of function and does not consider the security threats outside the expected application. The search function after shutdown will turn the iPhone in the user's hand into a tracking device, while the implementation of Bluetooth firmware function is not safe and can be manipulated or tampered with by malware."
Of course, the researchers' findings have limited value in the real world. Because to keep the malware running when it is turned off, you first need to let the iPhone escape, which itself is a difficult task. Nevertheless, there is always a functional operation mechanism in IOS 15 system, which may be exploited by malware, making it easier for criminals to monitor users.
In addition, if hackers find security vulnerabilities vulnerable to wireless attacks, they may also infect the built-in chip of iPhone, similar to the related vulnerabilities for Android devices.
In addition to allowing malware to run when the iPhone is turned off, attacks against the LPM mechanism can also allow malware to run secretly in the background, because the LPM mechanism itself can save the battery power required to run the firmware. Of course, it is not easy to detect whether firmware is infected with malware, which requires a lot of expertise and expensive equipment.
The researchers said that Apple engineers reviewed the paper before it was published, but the company representative never provided any feedback on the content of the paper.
Research shows that although the LPM mechanism in Apple iPhone allows users to locate lost or stolen devices when they are turned off, they can unlock or open the door even when the battery runs out. But in terms of security, it is a double-edged sword that has not been noticed.
"Hardware and software attacks similar to the above attacks have proved feasible, so the research topics involved in this paper are timely and practical," said John loucaide, senior vice president of strategy at eclypsium, a firmware security company "This is a typical phenomenon of all devices. Manufacturers have been adding new functions. Every time a new function is added, a new attack angle will appear." (Chen Chen)