Typically, when an iOS device becomes infected with malware, removing it is as straightforward as restarting the device. However, security researchers from ZecOps have devised a way to make it appear that your iPhone has been shut down and rebooted, leaving the door open for hackers to continue to infiltrate your device and even spy on you via your phone’s camera and mic. The phone can also maintain a live network connection in this state, leaving your phone able to transmit data to nefarious actors.
If your iPhone never truly powers down, the malware stays in the onboard memory indefinitely. The attack is fittingly called ‘NoReboot’ by researchers. Given the nature of the attack, it’s unclear how Apple can address it. The issue is that the user is deceived rather than that the device is traditionally exploited.
You can usually tell if your phone is powered off because the device no longer responds to stimuli beyond the obvious clue of your display being dark. Force feedback doesn’t work, the phone won’t vibrate, and the volume buttons are unresponsive, etc. However, per Bleeping Computer, ‘Security researchers from ZecOps have developed a trojan proof of concept tool that can inject specially crafted code onto three iOS daemons to fake a shutdown by disabling all the above indicators.’
The trojan interrupts the user’s shutdown attempt and makes a device appear as though it’s shut down. It doesn’t respond to user inputs and looks and behaves just like a phone that is powered off. However, the shutdown event never truly occurred, so your phone can still be remotely monitored and send data.
The trojan tool even shows the typical spinning wheel that indicates a shutdown event is in process. This is achieved through the ‘BackBoardd’ iOS daemon. This daemon tracks physical button clicks and screen interactions. So the daemon will indicate to the trojan tool when the user tries to turn their phone ‘back on,’ which allows the tool to simulate the startup process.
The device goes through a full simulated shutdown and reboot, with the user being none the wiser. By tricking the user into thinking that the phone is shutting down, the user releases the button press early enough that the device isn’t forced to shutdown. You can see this exploit in action in the video above.
There are some open questions. If you watch the video above, you’ll note that the ‘fake’ startup doesn’t prompt the user to enter a passcode, which is a required action after a true restart of an iOS device. Is it possible for the exploit to incorporate the typical passcode request? We also don’t know if shutting your phone down through a forced hard reset will result in a true shutdown, nor do we know if shutting your phone down via the system settings will deliver a true shutdown. Presumably, if your phone’s battery completely dies, the issue is also avoided. Nonetheless, it’s concerning that a user could be duped by the new tool.