Connect with us

Hi, what are you looking for?


IoT Security

Hackers Can Abuse Low-Power Mode to Run Malware on Powered-Off iPhones

Powered-off iPhone can still run malware

Powered-off iPhone can still run malware

Researchers from a university in Germany have analyzed the low-power mode (LPM) implementation on iPhones and found that it introduces potentially serious security risks, even allowing attackers to run malware on powered-off devices.

LPM is activated when the user switches off the iPhone or when the device shuts down due to low battery. While the device appears completely turned off, LPM ensures that certain features are still available, including the Find My service (for locating a device), digital car keys, payment apps, and travel cards.

While LPM has many benefits, it also introduces some security risks that cannot be ignored, particularly by journalists, activists and other individuals who are more likely to be targeted by well-funded threat actors.

An analysis conducted by a team of researchers from the Secure Mobile Networking Lab at TU Darmstadt showed that, on recent iPhone models, Bluetooth, NFC and Ultra-wideband (UWB) wireless communication systems remain active even after the device has been shut down. They conducted an analysis of the features introduced in iOS 15.

“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown,” the researchers explained.

The researchers checked if applications that rely on LPM (e.g. Find My) work as intended, as well as impact on hardware and firmware security.

In the firmware-focused analysis, the researchers assumed the attacker had privileged firmware access, being able to send custom commands to the firmware, modify the firmware image, or achieve code execution over the air. They claim that once the firmware has been compromised, the attacker can maintain limited control of the device even after it has been powered off by the user, which could be useful for persistent exploits.

Advertisement. Scroll to continue reading.

In the case of the hardware layer, the researchers assumed that the attacker did not manipulate hardware. They focused on determining which components could be powered on without the user’s knowledge and which applications could be built.

They also detailed how Bluetooth LPM firmware can be changed to run malware on an iPhone 13 when the device is powered off. This is possible because the firmware is not signed or encrypted and the Bluetooth chip does not have secure boot enabled.

“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications,” the researchers said in their paper. “Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access.”

“Furthermore, modern car key support requires UWB in LPM. Bluetooth and UWB are now hardwired to the SE, used to store car keys and other secrets. Given that Bluetooth firmware can be manipulated, this exposes SE interfaces to iOS. However, the SE is specifically meant to protect secrets under the condition that iOS and applications running on it could be compromised,” they added.

The researchers believe Apple should add a hardware switch to disconnect the battery, which would “improve the situation for privacy-concerned users and surveillance targets like journalists.”

They have made available some open source tools — InternalBlue and Frankenstein — that can be used for firmware analysis and modifications.

The researchers said they reported their findings to Apple, but the tech giant provided no feedback before their paper was published last week. SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Earlier this year, other researchers showed how a piece of iOS malware can achieve persistence on an iPhone by faking the device’s shutdown process.

Related: Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers

Related: Contactless Payment Card Hack Affects Apple Pay, Visa

Related: Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...