Recently, Apple introduced a useful but potentially dangerous feature to its iPhones. Most of us would assume that a phone becomes inactive when switched off by the user or, due to low power. Surprisingly, newer phones continue limited functionality for several hours in low power mode or even if it is off. This includes cards in your Wallet and the Find My service. This feature caught the attention of TU Darmstadt, resulting in an interesting paper.
The low power mode makes it possible to continue making (travel) payments, open your car, or find your phone when lost. Clearly, this can provide a great user experience. Imagine your relief when you find an exhausted phone battery after a long day, but you can still open your car or pay for transit. Or, think of that time you switched off your phone but forgot where you left it. In those situations, this service can be a lifesaver.
However, there is also another side to the story. Often, card services in your phone require user authentication involving the user interface of your phone. In low power mode, only the NFC chip is enabled and, therefore, cannot rely on the phone to perform authentication of the user. This means that anyone holding the phone theoretically can make so-called express payments for amounts below the merchant’s authentication limit (100 USD in the United States), which effectively offers the same level of security as a regular payment card. It is true that many mobile payment cards are pre-configured to disable express payments, but users may be tempted to enable them without realizing they also abandon payment authentication.
The Bluetooth service plays a central role in the Find My system. Sometimes a user wants to be anonymous and untraceable. However, switching off your phone would not achieve that for you. Although the Find Me service is normally only available for authorized users, this does not stop the Bluetooth traffic, and adversaries might still be able to track a device.
Lastly, the researchers find that the Bluetooth chip is not well protected, and its firmware could be analyzed and altered by an iPhone user with privileged access. While this is a complex process, it may also lead to discovering and exploiting new vulnerabilities that would introduce even more risk. It would be great if Apple would address the Bluetooth chip weakness and migrate to better firmware security.
In general, product vendors should be very cautious about security implications when introducing features without increasing user awareness. The human factor always plays an important role in security, and you cannot assume the right behavior when awareness is missing. A security assessment may help understand whether other measures mitigate a lack of user prudence.
With this post, we also like to make iPhone users aware of the risks and encourage them to use the new feature wisely (and never lose their phone).