Scary bug could send malware to your iPhone even when it’s turned off

It might not be all that surprising or alarming that researchers at the Technical University of Darmstadt in Germany have discovered a new vulnerability that could be used to deliver malware to your iPhone. What’s unique about this vulnerability is that it can be accessed when an iPhone is turned off.

This vulnerability requires a jailbroken iPhone, so it’s nothing to worry about right now for a vast majority of iPhone users. But as Ars Technica points out, the theoretical risk could become a real one as hackers discover security flaws that could allow this vulnerability to be exploited, so it needs to be addressed by Apple.

The researchers made a video that summarizes the exploit, but in a nutshell, the issue involves the iPhone’s Bluetooth chip and the Find My feature that Apple provides even when newer iPhones (iPhone 11 and later) are off. When your iPhone is powered down, the Bluetooth chip is still active, which runs in a low-power mode so it can continue to provide Find My and other services. The researchers found that this low-power mode can be exploited to run malware. (Note: This low-power mode is different from the low-power mode setting that helps save battery life.)

According to the researchers’ paper, this issue can’t be fixed with an iOS update, since the issue involves the low-power mode implementation in the iPhone’s hardware. The researchers suggest that Apple “should add a hardware-based switch to disconnect the battery” to fix the problem, which would mean only future iPhones would be safe from this exploit. However, chances are you haven’t turned off your iPhone in days, and this is an exploit that’s difficult to hack, so you don’t need to fret over it—and if you are, you can always switch off the “Send Last Location” toggle in Find My.
iOS Security, iPhone, Mobile Security, Security