research-article

Evil Never Sleeps: When Wireless Malware Stays On after Turning Off iPhones

Authors:

Alexander Heinrich,

Matthias HollickAuthors Info & Claims

WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 146 - 156

https://doi.org/10.1145/3507657.3528547

Published: 16 May 2022 Publication History

Abstract

When an iPhone is turned off, most wireless chips stay on. For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network. If the battery runs low, the iPhone shuts down automatically and enters a power reserve mode. Yet, users can still access credit cards, student passes, and other items in their Wallet. We analyze how Apple implements these standalone wireless features, working while iOS is not running, and determine their security boundaries. On recent iPhones, Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) keep running after power off, and all three wireless chips have direct access to the secure element. As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.

References

[1]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen. 2020 BIAS: Bluetooth Impersonation AttackS. In IEEE Symposium on Security and Privacy.

[2]

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen. 2019. The KNOB is Broken: Exploiting Low Entropy in the Encryption Key Negotiation Of Bluetooth BR/EDR. https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1047--1061.

[3]

Apple. 2021 a. Apple Platform Security. https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf.

[4]

Apple. 2021 b. Explore UWB-based car keys. https://developer.apple.com/videos/play/wwdc2021/10084/.

[5]

Apple. 2022 a. Core Bluetoot | Apple Developer Documentation. https://developer.apple.com/documentation/corebluetooth.

[6]

Apple. 2022 b. Bug Reporting--Profiles and Logs. https://developer.apple.com/bug-reporting/profiles-and-logs/.

[7]

Apple. 2022 c. Overview of Dynamic Libraries. https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html.

[8]

Apple. 2022 d. Use Express Mode with cards, passes, and keys in Apple Wallet. https://support.apple.com/en-us/HT212171.

[9]

Binary Ninja. 2022. A New Type of Reversing Platform. https://binary.ninja.

[10]

BMW. 2022. https://www.bmw.de/de/topics/service-zubehoer/bmw-connecteddrive/digital-key.html.

[11]

Car Connectivity Consortium. 2020. Digital Key -- The Future of Vehicle Access, Whitepaper. https://global-carconnectivity.org/wp-content/uploads/2020/04/CCC_Digital_Key_2.0.pdf.

[12]

Car Connectivity Consortium. 2021. Car Connectivity Consortium Publishes Digital Key Release 3.0. https://carconnectivity.org/press-release/car-connectivity-consortium-publishes-digital-key-release-3-0/.

[13]

Romain Cayre, Florent Galtier, Guillaume Auriol, Vincent Nicomette, Mohamed Kaâniche, and Géraldine Marconato. 2021. WazaBee: attacking Zigbee networks by diverting Bluetooth Low Energy chips. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[14]

Christopher Wade. 2021. https://www.pentestpartners.com/security-blog/breaking-the-nfc-chips-in-tens-of-millions-of-smart-phones-and-a-few-pos-systems/.

[15]

Jiska Classen. 2021. https://naehrdine.blogspot.com/2021/01/broadcom-bluetooth-unpatching.html.

[16]

Jiska Classen, Fabian Freyer, and Thomas Roth. 2021. Over the Air-Tag: shenanigans with the most over-engineered keyfinder. Presentation at hardwear.io Netherlands 2021, https://hardwear.io/netherlands-2021/speakers/jiska-and-fabian-and-stacksmashing.php.

[17]

Jiska Classen, Francesco Gringoli, Michael Hermann, and Matthias Hollick. 2022. Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation. (2022).

[18]

Jiska Classen and Alexander Heinrich. 2021. Wibbly Wobbly, Timey Wimey -- What's Really Inside Apple's U1 Chip. Presentation at Black Hat USA 2021.

[19]

Corellium. 2022. Device configuration features. https://www.corellium.com/platform/features.

[20]

Cypress Semiconductor Corporation. 2022. WICED Software. https://www.cypress.com/products/wiced-software.

[21]

Aurélien Francillon, Boris Danev, and Srdjan Capkun. 2011. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th February - 9th February 2011. The Internet Society. https://www.ndss-symposium.org/ndss2011/relay-attacks-on-passive-keyless-entry-and-start-systems-in-modern-cars

[22]

Lishoy Francis, Gerhard P. Hancke, Keith Mayes, and Konstantinos Markantonakis. 2011. Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones. IACR Cryptol. ePrint Arch. (2011), 618. http://eprint.iacr.org/2011/618

[23]

Jan Friebertshäuser, Florian Kosterhon, Jiska Classen, and Matthias Hollick. 2021. Polypyus--The Firmware Historian. Workshop on Binary Analysis Research (BAR) 2021 (Feb 2021).

[24]

Matheus E Garbelini, Sudipta Chattopadhyay, Vaibhav Bedi, Sumei Sun, and Ernest Kurniawan. 2021. BrakTooth: Causing Havoc on Bluetooth Link Manager. https://asset-group.github.io/disclosures/braktooth/.

[25]

Alexander Heinrich, Niklas Bittner, and Matthias Hollick. 2022. AirGuard -- Protecting Android Users From Stalking Attacks By Apple Find My Devices. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM.

Digital Library

[26]

Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick. 2021. Who Can Find My Devices? Security and Privacy of Apple's Crowd-Sourced Bluetooth Location Tracking System. Proceedings on Privacy Enhancing Technologies, Vol. 3 (2021), 227--245.

[27]

Dennis Heinze, Jiska Classen, and Matthias Hollick. 2020 a. ToothPicker: Apple Picking in the iOS Bluetooth Stack. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association. https://www.usenix.org/conference/woot20/presentation/heinze

[28]

Dennis Heinze, Jiska Classen, and Felix Rohrbach. 2020 b. MagicPairing: Apple's Take on Securing Bluetooth Peripherals. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (Linz, Austria) (WiSec '20). Association for Computing Machinery, New York, NY, USA, 111--121. https://doi.org/10.1145/3395351.3399343

Digital Library

[29]

Hex-Rays. 2022. IDA Pro. https://hex-rays.com/ida-pro/.

[30]

bunnie Huang and Edward Snowden. 2016. Against the Law: Countering Lawful Abuses of Digital Surveillance. https://www.tjoe.org/pub/direct-radio-introspection. The Journal of Open Engineering (21 7 2016). https://doi.org/10.21428/12268 https://www.tjoe.org/pub/direct-radio-introspection.

[31]

Iceman. 2022. Proxmark3. https://github.com/RfidResearchGroup/proxmark3.

[32]

iFixit. 2019. iPhone 11 Teardown. https://www.ifixit.com/Teardown/iPhone+11+ Teardown/126192.

[33]

Just a Penguin. 2022. IPSW Downloads. https://ipsw.me.

[34]

Kim Jong Cracks. 2022. checkra1n--iPhone 5s -- iPhone X, iOS 12.3 and up. https://checkra.in/.

[35]

Steffen Klee, Alexandros Roussos, Max Maass, and Matthias Hollick. 2020. NFCGate: Opening the Door for NFC Security Research with a Smartphone-Based Toolkit. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association. https://www.usenix.org/conference/woot20/presentation/klee

[36]

Tobias Kröll, Stephan Kleber, Frank Kargl, Matthias Hollick, and Jiska Classen. 2021. ARIstoteles--Dissecting Apple's Baseband Interface. In European Symposium on Research in Computer Security. Springer, 133--151.

Digital Library

[37]

Patrick Leu, Giovanni Camurati, Alexander Heinrich, Marc Roeschlin, Claudio Anliker, Matthias Hollick, Srdjan Capkun, and Jiska Classen. 2021. Ghost Peak: Practical Distance Reduction Attacks Against HRP UWB Ranging. https://securepositioning.com/ghost-peak/.

[38]

Jonathan Levin. 2020. *OS Internals, Volume II, Kernel Mode. North Castle, NY.

[39]

Dennis Mantz. 2018. InternalBlue - A Bluetooth Experimentation Framework Based on Mobile Device Reverse Engineering. Master thesis. TU Darmstadt. Supervised by Matthias Schulz and Jiska Classen.

[40]

Dennis Mantz, Jiska Classen, Matthias Schulz, and Matthias Hollick. 2019. InternalBlue - Bluetooth Binary Patching and Experimentation Framework. In The 17th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys '19). https://doi.org/10.1145/3307334.3326089

Digital Library

[41]

Travis Mayberry, Ellis Fenske, Dane Brown, Jeremy Martin, Christine Fossaceca, Erik C. Rye, Sam Teplov, and Lucas Foppe. 2021. Who Tracks the Trackers? Circumventing Apple's Anti-Tracking Alerts in the Find My Network. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society (Virtual Event, Republic of Korea) (WPES '21). Association for Computing Machinery, New York, NY, USA, 181--186. https://doi.org/10.1145/3463676.3485616

Digital Library

[42]

National Security Agency. 2022. Ghidra. https://ghidra-sre.org/.

[43]

NXP Semiconductors. 2020. NXP JCOP6.x on SN200.C04, Secure Element, Product Evaluation Document. https://www.commoncriteriaportal.org/files/epfiles/nscib-cc-235773_2-st-lite.pdf.

[44]

Michael Roland, Josef Langer, and Josef Scharinger. 2012. Relay Attacks on Secure Element-Enabled Mobile Devices. In Information Security and Privacy Research, Dimitris Gritzalis, Steven Furnell, and Marianthi Theoharidou (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1--12.

[45]

Thomas Roth, Fabian Freyer, Matthias Hollick, and Jiska Classen. 2022. AirTag of the Clones: Shenanigans with Liberated Item Finders. (Aug. 2022).

[46]

Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. 2020. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 19--36. https://www.usenix.org/conference/usenixsecurity20/presentation/ruge

[47]

Mridula Singh, Marc Roeschlin, Ezzat Zalzala, Patrick Leu, and Srdjan vC apkun. 2021. Security Analysis of IEEE 802.15. 4z/HRP UWB Time-of-Flight Distance Measurement. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 227--237.

Digital Library

[48]

Michael Spörk, Jiska Classen, Carlo Alberto Boano, Matthias Hollick, and Kay Römer. 2020. Improving the Reliability of Bluetooth Low Energy Connections. In EWSN. 144--155.

[49]

Markus Staeblein. 2021. 3 Reasons Why CCC Digital Key Release 3.0 Is Cause for Excitement. https://www.nxp.com/company/blog/3-reasons-why-ccc-digital-key-release-3-0-is-cause-for-excitement:BL-CCC-DIGITAL-KEY.

[50]

Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. 2021. Disrupting Continuity of Appletextquoterights Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3917--3934. https://www.usenix.org/conference/usenixsecurity21/presentation/stute

[51]

Milan Stute, Sashank Narain, Alex Mariotto, Alexander Heinrich, David Kreitschmann, Guevara Noubir, and Matthias Hollick. 2019. A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 37--54. https://www.usenix.org/conference/usenixsecurity19/presentation/stute

[52]

The iPhone Wiki. 2022. OTA Updates. https://www.theiphonewiki.com/wiki/OTA_Updates.

[53]

tihmstar. 2022. textttimg4tool. https://github.com/tihmstar/img4tool.

[54]

TÜV Rheinland Nederland B.V. 2019. Certification Report, SN200 Series - Secure Element with Crypto Library SN200_SE B1.1 C04. https://commoncriteriaportal.org/files/epfiles/NSCIB-CC-217812-CR.pdf.

[55]

TÜV Rheinland Nederland B.V. 2021. Certification Report, NXP JCOP 5.2 on SN100.C58 Secure Element. https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0023577-CR3.pdf.

[56]

unc0ver. 2022. The moast advanced jailbreak tool. https://unc0ver.dev.

[57]

Wikileaks. 2014. Weeping Angel (Extending) Engineering Notes. https://wikileaks.org/ciav7p1/cms/page_12353643.html.

[58]

Jianliang Wu, Ruoyu Wu, Daniele Antonioli, Mathias Payer, Nils Ole Tippenhauer, Dongyan Xu, Dave (Jing) Tian, and Antonio Bianchi. 2021. LIGHTBLUE: Automatic Profile-Aware Debloating of Bluetooth Stacks. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 339--356. https://www.usenix.org/conference/usenixsecurity21/presentation/wu-jianliang

Cited By

Blancaflor EBillo HDignadice JDomondon PLinco MValero C(2025)Bluetooth Simulated Reconnaissance Attack Through the Use of HCITool: A Case Study2nd International Conference on Cloud Computing and Computer Networks10.1007/978-3-031-78131-5_10(133-143)Online publication date: 3-Jan-2025
https://doi.org/10.1007/978-3-031-78131-5_10
Wu JWu RXu DTian DBianchi A(2024)SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00023(2847-228066)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00023
Lange SGringoli FHollick MClassen J(2024)Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming AgreementsComputer Security – ESORICS 202410.1007/978-3-031-70903-6_11(208-228)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_11
Show More Cited By

Index Terms

Evil Never Sleeps: When Wireless Malware Stays On after Turning Off iPhones
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Software and application security
    1. Software reverse engineering

Recommendations

AirGuard - Protecting Android Users from Stalking Attacks by Apple Find My Devices
WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Finder networks in general, and Apple's Find My network in particular, can pose a grave threat to users' privacy and even health if these networks are abused for stalking. Apple's release of the AirTag-a very affordable tracker covered by the nearly ...
Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets
IMC '18: Proceedings of the Internet Measurement Conference 2018

China is one of the largest Android markets in the world. As Chinese users cannot access Google Play to buy and install Android apps, a number of independent app stores have emerged and compete in the Chinese app market. Some of the Chinese app stores ...
A Novel 5.5/7.5 GHz Dual Band-Stop Antenna with Modified Ground Plane for UWB Communications

In this study, a novel design of ultra-wideband (UWB) monopole antenna with extended bandwidth and dual band-notched properties is proposed. In the presented structure, by cutting two pairs of U-shaped slots in the ground plane, additional (third and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 2022

314 pages

ISBN:9781450392167

DOI:10.1145/3507657

General Chair:
Murtuza Jadliwala
University of Texas at San Antonio, San Antonio, Texas, USA
,
Program Chairs:
Yongdae Kim
Korea Advanced Institute of Science and Technology (KAIST), Daejeon, South Korea
,
Alexandra Dmitrienko
University of Würzburg, Würzburg, Germany

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 May 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Deutsche Forschungsgemeinschaft

Conference

WiSec '22

Sponsor:

WiSec '22: 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks

May 16 - 19, 2022

TX, San Antonio, USA

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
916
Total Downloads

Downloads (Last 12 months)56
Downloads (Last 6 weeks)3

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Blancaflor EBillo HDignadice JDomondon PLinco MValero C(2025)Bluetooth Simulated Reconnaissance Attack Through the Use of HCITool: A Case Study2nd International Conference on Cloud Computing and Computer Networks10.1007/978-3-031-78131-5_10(133-143)Online publication date: 3-Jan-2025
https://doi.org/10.1007/978-3-031-78131-5_10
Wu JWu RXu DTian DBianchi A(2024)SoK: The Long Journey of Exploiting and Defending the Legacy of King Harald Bluetooth2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00023(2847-228066)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00023
Lange SGringoli FHollick MClassen J(2024)Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming AgreementsComputer Security – ESORICS 202410.1007/978-3-031-70903-6_11(208-228)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_11
Kolli AMirza MPossegger HBischof H(2023)Test-Time Adversarial Detection and Robustness for Localizing Humans Using Ultra Wide Band Channel Impulse Responses2023 31st European Signal Processing Conference (EUSIPCO)10.23919/EUSIPCO58844.2023.10290092(1365-1369)Online publication date: 4-Sep-2023
https://doi.org/10.23919/EUSIPCO58844.2023.10290092
常潘(2022)The Realization of NFC Virtual Campus Card System Based on Mobile WalletSoftware Engineering and Applications10.12677/SEA.2022.11509311:05(905-914)Online publication date: 2022
https://doi.org/10.12677/SEA.2022.115093

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten