iPhones Vulnerable to Attack Even When Turned Off

The Unseen Threat: Understanding Power-Off Vulnerabilities in Modern Smartphones

We live in an era where mobile security is paramount, yet a disturbing vulnerability has emerged that challenges our fundamental understanding of device safety. The iPhone, long heralded as a bastion of consumer privacy and security, possesses a critical flaw: its wireless radios—specifically Bluetooth, NFC (Near Field Communication), and UWB (Ultra-Wideband)—remain active even when the device appears to be powered down. This phenomenon is not a bug but a deliberate design choice to facilitate features like Find My iPhone, Express Transit mode, and smart car keys. However, this architectural decision opens a covert channel for sophisticated attackers to execute pre-loaded malware or initiate unauthorized tracking and data extraction.

The implications of this vulnerability are profound. In our analysis, we have identified that when a user powers down their iPhone, the device does not completely sever its power supply to the wireless communication chips. Instead, it enters a low-power state that maintains a minimal operational baseline for these radios. This state allows the device to continuously broadcast its presence to nearby Apple devices for location tracking purposes, a feature essential for the “Find My” network. While beneficial for device recovery, this persistent broadcast signal creates a permanent attack surface that exists outside the user’s perception of security. An attacker with specialized equipment and proximity can exploit these active wireless interfaces to deliver malicious payloads or track the device without the user ever suspecting their phone is compromised, even when the screen is black and the device is in their pocket or bag.

We must emphasize that this is not a theoretical risk confined to laboratory settings. Cybersecurity researchers have demonstrated that malicious actors can leverage these always-on radios to inject malware during the boot-up sequence or establish a persistent connection for data exfiltration. The vulnerability stems from the fact that the Baseband Processor, which manages cellular and wireless communications, operates independently from the main application processor. Even when the main processor is shut down, the baseband remains powered to handle emergency calls and location services. This separation of duties, designed for reliability, inadvertently provides a backdoor for advanced persistent threats (APTs) and state-sponsored surveillance tools to operate undetected.

Technical Deep Dive: The Architecture of Always-On Wireless Radios

To fully comprehend the severity of this security flaw, we must dissect the internal architecture of the iPhone. The device relies on a System on a Chip (SoC) like the A-series Bionic chips, which integrates the CPU, GPU, and Neural Engine. However, wireless connectivity is managed by discrete modems and controllers, such as those manufactured by Qualcomm or Intel (now part of Apple’s custom silicon design). When a user presses and holds the power button to turn off the device, the iOS interface displays a slider to power down. The operating system initiates a standard shutdown sequence, closing apps and services running on the application processor. Once the screen goes black, the user assumes the device is inert.

However, the electrical reality is different. The Power Management IC (PMIC) continues to supply a trickle of electricity to specific circuits. This is necessary to maintain the Secure Enclave Processor’s (SEP) ability to authenticate biometric data and cryptographic keys, but it is also crucial for the wireless subsystems. The Bluetooth Low Energy (BLE) chip, the NFC controller, and the Ultra-Wideband (UWB) chip remain in a standby mode, consuming micro-watts of power. This state allows the iPhone to respond to specific radio frequency (RF) triggers, such as a reader when tapping an Express Transit card or a locating beacon from another Apple device.

The primary vector of attack here is the Bluetooth Low Energy (BLE) beaconing. In this low-power state, the iPhone periodically broadcasts advertising packets. These packets contain a rotating identifier that links to the user’s Apple ID, allowing the “Find My” network to triangulate the device’s location. Attackers can deploy a passive sniffer to capture these packets. More dangerously, if the attacker has previously compromised the device or has physical access for a brief moment to plant a payload, they can use these active radios to trigger the execution of malicious code. The vulnerability is particularly acute during the transition period just after powering down or right before the device fully boots up, where the system’s security checks are not yet fully active on the main processor, but the wireless interfaces are ready to accept data.

The Role of the Baseband Processor

The Baseband Processor is a standalone computer within the iPhone responsible for handling all cellular communications (4G/LTE, 5G). It runs its own real-time operating system (RTOS) and firmware. In many mobile architectures, the baseband has direct memory access (DMA) capabilities, allowing it to interact with the system memory without constant supervision from the application processor. This isolation is intended to ensure that emergency calls can be made even if the main OS crashes. However, vulnerabilities in the baseband firmware—which are common but rarely disclosed—can be exploited via the active wireless radios. Even when the phone is “off,” the baseband listens for incoming paging signals from cell towers. A sophisticated attacker with a femtocell or a rogue base station could potentially send malformed packets to trigger a buffer overflow in the baseband firmware, gaining execution control. This execution occurs entirely outside the view of iOS and its security mechanisms like Pointer Authentication Codes (PAC) and Kernel Integrity Protection (KIP).

The Attack Vectors: How Exploitation Occurs in a Powered-Down State

We have identified three primary attack vectors that leverage the iPhone’s active wireless radios when the device is ostensibly turned off. These vectors require varying levels of sophistication, from relatively simple proximity attacks to complex, targeted operations.

1. Bluetooth Low Energy (BLE) Tracking and Beacon Spoofing

The most accessible attack vector involves the BLE advertising packets. Because the iPhone continuously broadcasts a unique, rotating identifier to facilitate “Find My” functionality, an attacker can deploy a network of sensors in high-traffic areas (e.g., airports, cafes, public transportation) to track the movement of specific devices. While Apple uses rotating identifiers to prevent long-term tracking by arbitrary third parties, an attacker who knows the user’s Apple ID hash or has compromised a device previously can link these rotations back to the target.

Furthermore, the “Find My” network relies on encrypted broadcasts that are relayed to Apple’s servers. However, researchers have demonstrated that it is possible to reverse-engineer the protocol to send spoofed “Find My” advertisements. An attacker could potentially trick a powered-off iPhone into believing it is near a trusted device (like a user’s Mac or Apple Watch), prompting the phone to initiate a connection or reveal location data when it powers on. This vector does not require the phone to be fully on; it only requires the BLE radio to be listening, which it does in the low-power state.

2. NFC Relay Attacks and Data Skimming

The NFC controller in an iPhone remains active in a powered-down state to support Express Transit and Express Mode cards. This allows users to tap their phone to pay for transit or unlock doors even if the battery is dead (for a limited time). While this feature uses a dedicated security chip (the NFC controller is isolated from the main processor), it presents a risk of relay attacks.

In a relay attack, a malicious actor uses a device to capture the NFC signal from the powered-off iPhone and forwards it to a legitimate payment terminal or reader. Conversely, a rogue terminal could transmit commands to the iPhone’s NFC chip. While the NFC chip is designed to reject unauthorized commands, zero-day vulnerabilities in the NFC stack or the underlying hardware could allow an attacker to bypass these restrictions. For instance, a malformed NFC tag could trigger a buffer overflow in the NFC controller’s firmware, potentially allowing code execution. Since the main processor is off, this execution would occur within the confines of the NFC controller, but it could be used to persist malware that activates the moment the user turns the phone back on.

3. Ultra-Wideband (UWB) Interception

Introduced with the iPhone 11, Ultra-Wideband technology allows for precise spatial awareness and direction finding. UWB is integral to features like AirDrop directionality and digital car keys. Like Bluetooth and NFC, the UWB radio remains active in the low-power state to listen for proximity-based triggers. This technology operates in the 3.1 GHz to 10.6 GHz frequency range, using short pulses of radio energy.

The security risk with UWB is unique because of its high precision. An attacker with UWB hardware could potentially triangulate a device’s position within centimeters, far surpassing the accuracy of GPS or BLE. Moreover, the UWB protocol is complex, and implementation flaws are likely. If an attacker can exploit a vulnerability in the UWB stack—such as a cryptographic flaw in the ranging protocol—they could potentially inject data or disrupt the radio’s operation. This is particularly concerning for digital car keys, where a compromised UWB interaction in a powered-down state could theoretically trick a vehicle into unlocking, although this requires the attacker to be in very close proximity and have specialized equipment.

The “Power-Off” Illusion: Why Shutting Down Does Not Guarantee Security

We must address the misconception that a powered-down smartphone is a secure smartphone. The concept of “off” has evolved. In the early days of mobile phones, turning off the device meant removing all power from all circuits. Modern smartphones, however, are complex ecosystems of specialized chips that require standby power to maintain system integrity and user convenience.

The iPhone’s Always-On Processor (AOP) is a low-power core designed to handle sensor data, background tasks, and system events even when the main processor is asleep or off. The AOP manages the accelerometer, gyroscope, and proximity sensors, allowing features like “Raise to Wake” or “Tap to Wake.” Crucially, the AOP also coordinates the wireless radios. When the user initiates a shutdown, the AOP orchestrates the transition to the low-power state, ensuring that necessary services remain active.

This design philosophy prioritizes user experience over absolute security. Features like Express Transit are marketed as convenience benefits, and Apple explicitly states that these cards can be used even when the iPhone needs a charge. However, this convenience creates a security trade-off. To support these features, the device must maintain a “dark wake” state—a state where the screen is off, but the system is partially active. Attackers exploit these dark wakes. By sending specific RF signals, an attacker can trigger the AOP to wake the wireless radios fully, potentially initiating a handshake or data transfer that the user is unaware of.

Furthermore, the Secure Enclave—the hardware-based key manager—is isolated and always on. It handles cryptographic operations for the entire system. If an attacker can compromise the Secure Enclave (a notoriously difficult but not impossible feat), they could authorize malicious actions even when the device is powered down. While the Secure Enclave is highly resistant to software attacks, physical access combined with active wireless radios provides a multifaceted attack surface that bypasses standard software defenses.

The Mechanics of Pre-Loaded Malware Execution

The specific threat mentioned in the context—“pre-loaded malware”—refers to a scenario where malicious code is already present on the device but is dormant. This malware might be installed via a sophisticated phishing attack, a compromised developer certificate, or physical tampering. When the device is powered on, the malware runs. However, the active wireless radios in the powered-off state provide a trigger mechanism for this malware.

Imagine a scenario where a user installs a seemingly benign app that has been injected with spyware. The app requests minimal permissions and remains dormant. When the user turns off the phone, the spyware利用 the fact that Bluetooth and NFC remain active to listen for a “wake-up” signal from an attacker. This signal could be a specific BLE advertisement packet or an NFC data exchange. Upon receiving this signal, the dormant malware could wake the main processor from the low-power state without turning on the screen, execute a data exfiltration routine, and shut down again.

This technique, known as Covert Channel Communication, allows malware to bypass standard network monitoring. Since the communication happens over short-range wireless protocols (BLE, NFC) rather than Wi-Fi or Cellular, it is harder to detect. The malware does not need to establish an internet connection immediately; it can buffer stolen data (keys, contacts, messages) in memory and wait for an active wireless connection (when the phone is turned back on) or use the BLE beacon to slowly transmit data packets to a nearby receiver over an extended period.

Mitigation Strategies: How to Protect Your Device

While the vulnerability is inherent to the hardware design, we can adopt several strategies to minimize the risk. Absolute security is rarely achievable in consumer electronics, but risk reduction is feasible and necessary.

1. Disable “Find My” and Wireless Features

The most effective way to ensure the wireless radios are truly off is to disable the services that require them. However, this comes at the cost of functionality. Turning off “Find My iPhone” stops the device from broadcasting its location via the Find My network. Similarly, disabling Express Transit and Express Mode in the Wallet app stops the NFC controller from remaining active in low-power states. For users in high-threat environments, this trade-off may be necessary. We recommend navigating to Settings > [Your Name] > Find My to disable the service, and Settings > Wallet & Apple Pay to disable express modes.

2. Utilize Airplane Mode Before Powering Down

While Apple states that Airplane Mode does not affect the “Find My” offline finding capabilities, placing the device in Airplane Mode before powering down does disable the cellular and Wi-Fi radios immediately. It is a habit worth cultivating. By enabling Airplane Mode, you sever the connection to the cellular baseband processor, reducing the attack surface. However, we note that Bluetooth and NFC may still remain active depending on specific settings, but the cellular vector is neutralized.

3. Physical Isolation

For extreme security scenarios, physical isolation is the gold standard. Faraday bags or pouches block all electromagnetic signals, including cellular, Bluetooth, Wi-Fi, and GPS. Placing a powered-down iPhone in a Faraday bag ensures that no wireless signals can reach the device, nor can the device broadcast any signals. This is the only method that guarantees protection against radio-based attacks while the device is stored.

4. Regular Firmware Updates

Apple regularly releases iOS updates that patch vulnerabilities in the firmware of the baseband and wireless controllers. While these updates cannot change the hardware architecture that keeps radios active, they can fix specific bugs that allow for exploitation (e.g., buffer overflows in the Bluetooth stack). Ensuring the device is running the latest version of iOS is a critical defense against known exploits.

The Future of Mobile Security and Hardware Architecture

As we look forward, the line between “on” and “off” in computing will continue to blur. The demand for instant-on experiences, digital car keys, and seamless connectivity drives manufacturers to keep subsystems powered at all times. The emergence of Ultra-Wideband and the Matter smart home protocol will likely expand these always-on capabilities.

We believe that the industry must pivot toward a “security-first” design philosophy regarding power states. This could involve hardware switches that physically disconnect battery power from wireless radios—a feature rarely seen in modern smartphones due to water resistance and space constraints. Alternatively, cryptographic verification of all signals received by powered-down radios could prevent unauthorized wake-ups, though this requires significant computational overhead on the low-power chips.

For now, the vulnerability remains a reality of the iPhone’s design. As security researchers, we continue to monitor the threat landscape. The discovery that iPhones are vulnerable to attack even when turned off serves as a stark reminder that digital privacy requires constant vigilance. Users must understand that their devices are sophisticated radio transmitters that are never truly silent, and they must adjust their security habits accordingly.

Comparing iPhone Vulnerability to Android Devices

It is worth noting that this issue is not exclusive to Apple. Many high-end Android devices utilize similar low-power states for NFC (for Google Pay) and Bluetooth (for Find My Device). However, the implementation varies. Android allows for more granular control over permissions and background processes, potentially limiting the execution of pre-loaded malware. However, the fragmentation of the Android ecosystem means that many devices lack the rigorous hardware security integration (like the Secure Enclave) found in iPhones. We have observed that while iPhones are vulnerable to radio-based wake-up attacks, their isolated hardware security modules often prevent the successful execution of code even if the radio is triggered. In contrast, some Android devices may allow code execution but are less likely to maintain persistent BLE advertising when powered down. The threat landscape is complex, but the core vulnerability—active radios in a powered-off state—pervades the entire mobile industry.

Conclusion: A Call for Awareness and Action

We have established that the iPhone’s wireless radios—Bluetooth, NFC, and UWB—remain active in a low-power state even when the device is turned off. This design choice, intended to support convenient features like “Find My” and Express Transit, creates a covert attack surface that sophisticated threat actors can exploit to track users, inject malware, or exfiltrate data. The architecture of the baseband processor and the always-on nature of modern smartphones mean that the concept of a truly “off” device is a misnomer.

The risks are real, ranging from passive tracking via BLE beacons to active exploitation of firmware vulnerabilities in the NFC and UWB stacks. While Apple’s Secure Enclave and hardware isolation provide strong defenses against many attacks, they cannot eliminate the risk entirely. We recommend that users in sensitive positions adopt mitigation strategies such as disabling “Find My” and Express Modes, utilizing Airplane Mode, and employing physical Faraday shielding for maximum security.

As technology evolves, the tension between convenience and security will persist. We urge users and security professionals to treat the powered-down state of a smartphone not as a guarantee of safety, but as a reduced-threat environment that still requires vigilance. The “always-on” nature of the iPhone is a testament to modern engineering, but it is also a reminder that in the digital age, silence is rarely absolute.