I. Targeted Entities

  • iPhone users

II. Introduction

New attacks have been discovered on iPhones that can be executed despite the device being turned off. This is a direct result of how Apple implements wireless features in iPhones such as Bluetooth, Near Field Communications (NFC), and Ultra-wideband (UWB) technologies. These features remain active on iPhones when powered down, which makes attack scenarios, such as loading malware on an iPhone’s Bluetooth chip to be executed while powered off, possible.

III. Background Information

The features previously mentioned have access to the iPhone’s Secure Element (SE) which stores sensitive information, even when the iPhone is shut off, according to a team of researchers from Germany’s Technical University of Darmstadt.[1] Because of this, malware is able to be loaded onto a Bluetooth chip that is executed while the iPhone is off (Germans). By attacking these wireless features, cybercriminals can access secure information, including a user’s credit card data, banking details, and even digital car keys on the iPhone.[2] Although this threat is ever-present, exploiting the threat is not so easy, with the threat actors still having to load the malware when the iPhone is on for later execution when the iPhone is off. This would require system-level access or remote code execution (RCE).[3]

The researchers at Germany’s Technical University of Darmstadt say that the cause of the issue is the low power mode (LPM) for wireless chips on iPhones. The LPM issue is caused when the user turns off their iPhone or when iOS shuts down automatically due to low battery. The researchers say that this is different than the power-saving feature that can be enabled by the user in the Settings app or

the Control Center. Because LMP is based on the iPhone’s hardware, and a solution cannot be patched via software, “wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”[1]

Researchers analyzed the security of LPM features in a layered approach, observing the impact of the feature on application-, firmware-, and hardware-level security. A potential threat scenario that the researchers outlined on the iPhone’s firmware assumes that an attacker either has system-level access or can gain RCE using a known Bluetooth vulnerability.[2] In this attack, a threat actor with system-level access could modify firmware of any component that supports LPM. This way, they maintain limited control of the iPhone, even when the user turns the iPhone off.[3] Even if all firmware would be protected against manipulation, an attacker with system-level access could still send custom commands to chips that allow for “very fine-grained configuration, including advertisement rotation intervals and contents.” This could allow an attacker to create settings that would allow them to locate a user’s device with higher accuracy than the legitimate user in the Find My app, for example. [4]

The researchers reported their research to Apple, which did not provide feedback on the issues raised. A potential solution, according to the researchers, is for Apple to add “a hardware-based switch to disconnect the battery” so these wireless elements wouldn’t have power while an iPhone is powered down.[5]

IV. MITRE ATT&CK

  • T1204 – User Execution
    Adversaries must have system-level access to iPhones to conduct this kind of attack. Thus, they may attempt to social engineer iPhone users to load malware into their devices to be later executed when powered off.
  • T1569 – System Services
    Adversaries that have system-level control over iPhones will be able to execute malware remotely. Having this kind of control would give adversaries the ability to modify firmware that control low power mode, Bluetooth, NFC, and other wireless communication protocols.
  • T1644 – Out of Band Data
    Adversaries are capable of executing previously loaded malware on iPhones that have been powered off. Out-of-band data streams, such as Bluetooth and NFC, allow adversaries to execute malware remotely without needing any power from the device’s battery.

V. Recommendations

  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Monitor Malware
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/inzlsmaxpkn72bo64sv5wya7ythbftid

VII. References

(1) Cleafy Labs. “TeaBot Is Now Spreading across the Globe.” Cleafy Labs. Cleafy Labs, January 3, 2022. https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe.

(2) Nelson, Nate. “Teabot Trojan Haunts Google Play Store, Again.” Threatpost English Global, March 2, 2022. https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.