Faking an iPhone shutdown could allow malware to survive a reboot

Posted:
in iPhone edited January 2022
Security researchers have developed a new technique for faking a shutdown on iPhone, potentially granting malware persistence even after an iOS reboot.

Apple iPhone 13 models
Apple iPhone 13 models


Generally, a reboot will wipe any malicious code off an iPhone. But the security technique, dubbed "NoReboot" by researchers at ZecOps, could allow iPhone malware to gain persistence, or survive after reboots.

The technique works by faking an iPhone shutdown in an attempt to trick a user into believing their device has been shut off. If an attacker pulls off the trick, any malware can continue operating on the device -- and the bad actor could also potentially spy on a user with an iPhone's camera and microphone without their knowledge.





"NoReboot" works by injecting malicious code into three background processes -- InCallService, SpringBoard and backboardd -- that are responsible for the reboot process on iPhone.

Once an attacker hijacks the reboot process, an iPhone will appear like it's off to the user but will be fully awake and connected to the internet. That could allow the attacker to do pretty much anything they want without alerting the user.

The process also works in reverse. "NoReboot" can show a fake wake or startup process to trick the user into believing that their iPhone has actually undergone a reboot.

There's no patch for the "NoReboot" technique because it doesn't actually exploit any bugs. To fix it, ZecOps researchers said that Apple would need to build in a hardware-based indicator to display an iPhone's on or off status.

While "NoReboot" isn't malware, the technique could be built into malicious applications as a way of evading detection and gaining persistence on an iOS device.

Who's at risk -- and how to protect yourself

As mentioned earlier, "NoReboot" can't be patched. Additionally, ZecOps says that the technique can be carried out on any iPhone model running any version of iOS.

iPhone users can protect themselves by only downloading reputable apps from the App Store. There are also tools, including one made by ZecOps, that can check if an iPhone has been compromised.

Read on AppleInsider

Comments

  • Reply 1 of 7
    What happens if the iPhone shuts down because the battery runs out of power? In this case, is the NoReboot code still present in the compromised background processes and is the malicious code which installed it (or any other malicious code) still present?
    muthuk_vanalingamwatto_cobra
  • Reply 2 of 7
    Watch the video and you will see the obvious giveaway that a true shutdown did not occur - FaceID was not disabled and the mandatory passcode entry was not required at first unlock. Also recall that the iPhone uses unique text when prompting for the passcode after a shutdown or restart compared to repeated FaceID or TouchID failures.


    RudolfGottfriedwatto_cobra
  • Reply 3 of 7
    This wouldn't survive a hardware reboot, which for the past half decade has been pressing volume up, then volume down, then holding the side button.

    https://support.apple.com/en-is/guide/iphone/iph8903c3ee6/ios
    williamlondonwatto_cobra
  • Reply 4 of 7
    lkrupplkrupp Posts: 10,557member
    Gotta keep in mind that for security researchers everything is an apocalypse. Apparently you have to install an app with the malicious code and how do you do that unless you jailbreak your iPhone. Another nothing-burger here. Let’s move along, please.
    williamlondonRudolfGottfriedwatto_cobrajony0
  • Reply 5 of 7
    This just in- if you lose the key to your front door, someone can find that key and use it to open your door! A bug that can’t be patched. 

    Also, the windows in you house are often made of glass, highly breakable. Allowing entrance to the glass breaker. We’re hoping for a fix.
    lkruppwatto_cobrajony0
  • Reply 6 of 7
    lkrupp said:
    Gotta keep in mind that for security researchers everything is an apocalypse. Apparently you have to install an app with the malicious code and how do you do that unless you jailbreak your iPhone. Another nothing-burger here. Let’s move along, please.

    From the practical compromise POV; I fully agree. However to say this is a nothing-burger misses the point, IMO. The publication of the researcher's discoveries provides 3rd party research to back Apple's position about side-loading apps and the security implications that come from it.

    This is what makes this an important thing and not a nothing-burger.
    williamlondonwatto_cobrajony0
Sign In or Register to comment.