German security researchers have warned about security risks because as of iOS 15, bluetooth remains on when users turn off an iPhone. In addition, the bluetooth firmware is not signed and not encrypted.
The researchers from TU Darmstadt describe in their paper that the lack of security of the bluetooth firmware allowed them to modify that entire firmware and send it to the phone. Because the operating system is turned off, that firmware will then be able to access the Secure Enclave. In theory, that makes malware possible.
The attack is only now possible, because under iOS 15 functions such as Find My iPhone, Express Cards and Digital Car Key will be available for a limited time. They should work for as long as possible, so they will work even if the phone turns itself off due to a lack of remaining battery capacity. These include NFC, Ultra Wideband and Bluetooth. Although Apple does not say exactly how long those functions will be available, according to the researchers, it is five hours.
Apple released iOS 15 last fall and it is believed to be one of the first investigations into the security aspects of the functionality. Apple has not yet responded. The researchers recommend installing a physical switch in iPhones that cuts off the power from the battery. “That would improve the situation for users who care about privacy, and for victims of surveillance.” The researchers will present their findings this week at the ACM conference on wireless network security. That conference will take place this week in the American city of San Antonio.
|Active features after shutting down iPhones||Firmware Signed||Firmware encrypted|