The exploit is related to a feature in iOS 15 that allows Find My to work for several hours after a device has been turned off. Specifically, chips used for Bluetooth, near field communication (NFC) and ultra-wideband (UWB) continue to run in a low-power mode (LPM) even after a user-initiated shutdown. This low-power mode is different from the one indicated by the yellow battery icon. In assessing LPM features, researchers found that the Bluetooth LPM firmware is neither signed nor encrypted. Under the right circumstances, the team claims this firmware could be modified to run malware. These favorable conditions include a jailbroken iPhone, preferably with system-level access. If you already have that level of access, a Bluetooth chip exploit like the one proposed here would probably be redundant.
The researchers claim they informed Apple of the issues but the company did not comment on the matter. Similarly, Apple declined to comment when contacted by Motherboard. Security researcher Ryan Duff told Motherboard “it’s not really a standalone attack without additional vulnerabilities and exploits.” “It may be possible to exploit the Bluetooth chip directly and modify the firmware but the researchers did not do that and there isn’t a known exploit that would currently allow that,” Duff added. In their report published on arXiv, the team said they believe LPM is “a relevant attack surface that has to be considered by high-value targets such as journalists, or that can be weaponized to build wireless malware operating on shutdown iPhones.” Image credit: Caleb Oquendo, MacRumors