Researchers at the Technical University of Darmstadt in Germany have discovered a new vulnerability that could be used to deliver malware to a user’s iPhone. This vulnerability can actually be taken advantage of even when an iPhone is turned off.
Happily, for the majority of iPhone users, the vulnerability is only available to be targeted on jailbroken iPhones. As reported by Ars Technica, the bad guys could possibly find a way to exploit the flaw, meaning Apple needs to address the issue.
The issue, shown in the video below, shows how the issue involves the iPhone’s Bluetooth chip and the Find My feature that Apple provides even when newer iPhones (iPhone 11 and later) are off. Even when an iPhone is powered down, the device’s Bluetooth chip is still active, running in a low-power mode so it can continue to provide Find My and other services.
The researchers found that this low-power mode can be exploited to run malware. (As noted by the report, this low-power mode is different from the low-power mode that helps save battery life.)
The researchers say the issue cannot be fixed with an iOS update, since the issue involves the low-power mode implementation in the iPhone’s hardware. Researchers say Apple “should add a hardware-based switch to disconnect the battery” to fix the problem.
Currently, this exploit is difficult to exploit – if you are a jailbreaker that is concerned about the security hole, you can toggle off the “Send Last Location” feature in “Find My.”