big picture: Researchers at the Technical University of Darmstadt in Germany have demonstrated the ability to download malware on an iPhone even when it is turned off. There is no evidence that it has been used in the wild, and it may not even be viable on its own, but this question might give Apple food for thought.
The exploit is associated with a function in iOS 15 which allows Find My to work for several hours after the device is turned off. In particular, chips used for Bluetooth, near field communication (NFC), and ultra-wideband (UWB) continue to operate in Low Power Mode (LPM) even after a user-initiated shutdown.
This low power mode is different from the mode indicated by the yellow battery icon.
Assessing the features of LPM, researchers found that the Bluetooth LPM firmware is not signed or encrypted. The team claims that under certain circumstances, this firmware can be modified to run malware. These favorable conditions include a jailbroken iPhone, preferably with system-level access. If you already have that level of access, a Bluetooth chip exploit like the one suggested here is probably overkill.
The researchers claim to have informed Apple about the issues, but the company has not commented on the matter. Similarly, Apple declined to comment when contacted by Motherboard.
This was reported by security researcher Ryan Duff. Motherboard “It’s not really a stand-alone attack without additional vulnerabilities and exploits.”
“It is possible to directly use the Bluetooth chip and change the firmware, but the researchers did not do this, and there is currently no known exploit that would allow this,” Duff added.
In their report posted on arXiv, the team stated that they believe LPM is “a relevant attack surface that should be considered by high-value targets such as journalists, or that could be weaponized to create wireless malware that runs on disabled iPhones” .