Researchers at Germany’s Technical University of Darmstadt have found that iPhones can be vulnerable to security threats even when powered off. Wireless chips, including Bluetooth, run using low power mode when the power is off. Malicious actors can take advantage of the reduced power mode to use malware.  “When a user shuts down their device through the phone’s menu or power button, they have a reasonable belief that all the processors are shut down, but that’s not the case,” Eugene Kolodenker, a senior staff security intelligence engineer at the cybersecurity firm Lookout, which was not involved in the German study, told Lifewire in an email interview. “Services such as FindMy need to work even when the devices are shut off. This requires a processor to continue running.”

Zombie iPhones

The German researchers examined the iPhone’s low-power mode (LPM) that powers near-field communication, ultra-wideband, and Bluetooth.  “The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in the paper. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.” Kolodenker explained that modern mobile devices consist of many different computer processors. Generally, people who interact the most when using a smartphone are the application processor (AP) and the baseband processor (BP).  “These are what runs most of the operating system and call capability,” he added. “However, there are numerous additional processors now in phones, such as the Secure Enclave Processor and the Bluetooth Processor on iPhones. These processors can be exploited much like the AP and BP.”  Don’t worry too much about threats when your phone is powered off, though. “The bright side is that threats targeting stand-by processors that are running when a device is shut down are theoretical,” Kolodenker said.  Thomas Reed, the director of Mac & Mobile at Malwarebytes, a maker of anti-malware software,  said in an email that there’s no known malware using BLE firmware compromise to remain persistent when the phone is ‘off.’  He added that “further, unless you are likely to be targeted by a nation-state adversary—for example, if you are a human rights advocate or journalist critical of an oppressive regime—you’re not likely to ever run into this kind of problem,” he added. “If you actually are a potential target for a nation-state adversary, don’t trust that your phone is ever truly off.” Andrew Hay, the chief operating officer of LARES Consulting, an information security consulting firm, said via email that for the average user, this “threat” will not impact them in the slightest as it is only present on a jailbroken iPhone.  “A user has to go out of their way to jailbreak their iPhone, and a number of past academic studies/discoveries rely on that fact,” he added. “If a user wants to be as safe as possible, they should continue to use the official (and tested) operating systems, apps, and features provided by the device manufacturer.”

Protecting Yourself

Keeping your phone data safe from hackers takes more than a tap of the power button, Reed pointed out. For victims of domestic violence, Reed said that if you’re in a situation where an abuser monitors your location, you should be aware that turning off your phone will not stop the tracking. “For those in such situations, we advise seeking help, as disabling the tracking could have bad consequences,” he added. “If you need to not be tracked for a while, leave your phone in a location where it’s reasonable to expect you might spend some time.” Marco Bellin, the CEO of Datacappy, which makes security software, said the only way to truly protect yourself is to use a Faraday cage, which blocks all signals from your phone.  “The problem is that most people will never use one,” he added. “They are encumbering because they don’t allow your phone access to communication. There is no phone, text, or social media notification, and most people will forego their safety for convenience. I use one only for travel, but I’ll be using it more often now.”