When Wireless Malware Stays On After Turning Off iPhones
After power off, modern iPhones keep their wireless chips on. Find My advertisements are sent by the Bluetooth chip upon user-initiated and automated low-power shutdown since iOS 15. Less noticeable to most users, Apple introduced a Digital Car Key 3.0 express mode, also available after low-power shutdown for up to 5 hours. This is implemented with a Bluetooth GATT service for initial detection, an Ultra-wideband (UWB) module for fine ranging, and an applet in the NFC chip’s secure element managing access to cryptographic keys. While these are interesting features for most end-users, this means that high-value targets like journalists can no longer trust their iPhone to be switched off. We take a look into the Bluetooth firmware to analyze low-power standalone features and show that modification for malware is possible.
In this talk, we show how low-power mode for NFC, UWB and Bluetooth is implemented in hardware, revealing that this has been planned at least since designing the iPhone 11 hardware. Then, we dig deeper into the most recent Bluetooth firmware present in the iPhone 12 and 13. We make modifications to the Bluetooth firmware and the InternalBlue framework, allowing analysis, debugging, but also installing stealthy low-power malware. The latest firmware diverges a lot from older firmware with leaked symbols. We demonstrate how to match the most important handlers anyway to learn which features are enabled in Apple’s low-power Bluetooth firmware, which parameters can be changed in the stock firmware, and which capabilities could be added by malware.