Researchers from cybersecurity firm Zecops have discovered a way to change the iPhone’s shutdown sequence, to trick users with an infected device into believing that the phone is off, when it’s actually running. can secretly record photos and videos.
According to security researchers, regular iOS malware can be removed when the device is restarted, which will remove the malware from the device’s memory. But the new hacking technique will link the malware to the shutdown sequence and the restart procedure to prevent the actual shutdown from happening. To the user, it looks like the phone is off, but in fact it’s still running.
Zecops posted a video of the technique in action, showing how easily it can fool anyone into thinking their device is off.
Fake shutdown simulation using NoReboot persistence technique
Zecops researchers call this attack technique “NoReboot”. During normal operation, press and hold the power button and volume button at the same time until a slider appears that allows the user to turn off the iPhone. Shutdown will take about 30 seconds. When turned off, the screen, camera and other phone functions appear to be completely turned off.
The researchers were able to make the phone look like it was completely turned off, but actually keep the malware on it active.
The researchers said: “Even though we disabled all physical feedback, the phone was still fully functional and capable of staying connected to the internet. Hackers can blatantly manipulate the phone remotely without worrying about being caught because the user thinks the phone is off.”
When the user decides to turn the phone back on, the malware can play a system boot animation with the Apple logo to convince the user that everything is working correctly while the malware is still lurking inside. .
Even without malware, a shut down iPhone doesn’t actually shut down completely. Apple introduced a feature in iOS 15 that makes even powered off iPhones locateable using the Find My feature. The company doesn’t explain how the feature works, but Zecops researchers have found it’s because Apple keeps the Bluetooth LPM chip up and running even when the phone is off.
The researchers say it’s best to never think the device is actually off, unless you remove the battery. This malware was created by researchers as a proof-of-concept, for the purpose of security testing on iOS. If you want to learn more, you can check it out here.