Faking an iPhone Reboot

Researchers have figured how how to intercept and fake an iPhone reboot:

We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown.” There is no user-interface or any button feedback until the user turns the phone back “on.”

It’s a complicated hack, but it works.

Uses are obvious:

Historically, when malware infects an iOS device, it can be removed simply by restarting the device, which clears the malware from memory.

However, this technique hooks the shutdown and reboot routines to prevent them from ever happening, allowing malware to achieve persistence as the device is never actually turned off.

I see this as another manifestation of the security problems that stem from all controls becoming software controls. Back when the physical buttons actually did things—like turn the power, the Wi-Fi, or the camera on and off—you could actually know that something was on or off. Now that software controls those functions, you can never be sure.

Tags: , , ,

Posted on January 12, 2022 at 6:15 AM30 Comments

Comments

Tom January 12, 2022 6:37 AM

Hi,

Could you not simply wait for the battery to run flat or would it avoid that too? Not very practical I know.

Best wishes,

Tom.

Cajun January 12, 2022 8:01 AM

Re: Tom: waiting for dead battery
I would imagine so. The blogpost mentions it is (to their knowledge) not possible to hijack the force restart, which would wipe the malware. It did say it is possible to deceive a user into releasing the buttons earlier than they ought to, making it appear like a force restart. If the user kept holding it down it would still force restart, however. In the future, it may be possible that force restarts become software level, and that would be truly scary. I guess in that hell, you can just stab the battery. A flat battery may work, but I imagine it’s like a laptop that doesn’t go until it’s truly dead in order to save open applications, but I could be entirely wrong.

sle January 12, 2022 8:37 AM

@Tom

Yours solution works, but Lithium-Ion batteries dislike complete discharge, they tend to permanently loose capacity when fully discharged.

To get security back, you have to “hurt” your smartphone battery.

David Rudling January 12, 2022 8:37 AM

The movement for items to be third party repairable (e.g. remove and replace a battery) may have an additional and unexpected good side then.

Clive Robinson January 12, 2022 8:43 AM

@ Bruce, ALL,

I see this as another manifestation of the security problems that stem from all controls becoming software controls. Back when the physical buttons actually did things…

The important thing to note is,

“This is an illussion at the user interface only.”

If you have a suspicious mind there are some quite easy ways to detect the phone is still functioning as a turned on phone rather than one that is actually off.

One such is discovering “On Air Activity” which I have mentioned several times in the past (often all you need is a colocated AM radio).

But it brings up a more curious point I made quite a few years ago now,

1, You have fully functioning software that takes up a measure of resources.

2, Adding malware to fake behaviour takes up further resources.

3, The better or more encompassing the malware is, the more resources it needs.

4, At some point the extra resource usage becomes unavoidably visable in a manner of ways.

So the upshot is the malware can not actually hide it’s self, a lesson that was demonstrated by “RootKits” back a couple of decades ago.

The question then becomes one of which way of interacting with the phone gives the earliest warning that something is not right thus malware should be suspected?

David January 12, 2022 8:48 AM

A good question is, if a passcode was enabled on the phone, would the technique also make the passcode prompt come up after a stimulated reboot?

Ted January 12, 2022 8:48 AM

Catalin Cimpanu said: “At the time of writing, no iOS malware has been seen or publicly documented using a trick resembling NoReboot.”

One part of the blog post I don’t understand is when they say this specific bug is only paying tricks with the human mind. It’s an actual malware right? Is it a non-persistent malware that can be eliminated with an effective forced reboot?

John January 12, 2022 11:01 AM

Hmmm….

The reset button on the original IBM PC came about because of buggy DOS software!

This was said to be became “All software has bugs”. These ‘bugs’ made billions of dollars for the vendor!

Here we are again. Cannot remove battery. Cannot really turn off device.

My backup cell phone has a removable battery. If I leave the battery in but the phone turned off in not too short order the battery is dead. If I put the battery in backwards so it is not connected, the battery stays charged for months! The same is true for my access point.

So even with this old brain dead phone, it apparently turns itself on from time to time when it can.

Now my ‘regular’ cell phone wants me to tell it how to connect to MY WIFI…. No thanks!!

Phones without removable batteries or open source software are a very bad idea! I notice that the latest ‘improvement’ is to eliminate physical SIMs.

John

Quantry January 12, 2022 11:19 AM

@Clive Robinson, all. You asked

“which way of interacting with the phone gives the earliest warning that something is not right thus malware should be suspected?”

If Bruce sees this “as another manifestation of the security problems that stem from all controls becoming software controls”, and… (loosely quoted [1])… “good penetration [techs] … always get in… [And] against a suitably skillful, sustained [attack on our systems] we cannot defend”,

perhaps the answer to many of these conundrums is DEMANDING DEVICES having a literal kill-switch, which it seems the librem almost got right with their “kill switches to physically disconnect WiFi, Bluetooth, cellular signal, microphone & camera”, [2] except I’d still have to take the battery out when the transmission is over, I suspect. Which the Kyocera DuraXV-Extreme also AT LEAST got right by providing a REMOVABLE BATTERY, [3].

I’d like to see this not just for our phones, but for routers and so on.

WARNING:
The problem Ive had with re-registering a phone too often after a battery disconnect however, is that it seems to make the MITM very cranky, who may then resort to various MORE EXTREME measures, like physical and social harms. “If you cant beat em, beat em”, seems to be the motto of the local thugs. They’ve even resorted to taking their frustrations and lusts out on my family, repeatedly. Tax dollar “creep”.

[1] ht tps://www.youtube.com/watch?v=Bh4Aea5dn34 (meter 10:40 – 10:59 ish)
[2] ht tps://puri.sm/products/librem-5/
[3] ht tps://kyoceramobile.com/duraxv-extreme/

@Bruce, btw something going on with pressabledn evidently blocked the blog loading, first try. Thanks again.

Mike Nomad January 12, 2022 12:39 PM

Quantry said: Kyocera DuraXV-Extreme also AT LEAST got [it] right by providing a REMOVABLE BATTERY.

A removable battery is part of the reason why I bought a Sonim XP3pro. The other reason being that I could get it without a camera.

Kronos January 12, 2022 12:46 PM

Quantry> I’d like to see this not just for our phones, but for routers and so on.

I have spent a fair amount of my career dealing with various laptops and during serious troubleshooting, at least when said laptop would boot, the next step would be “remove the battery and after leaving it out for a minute reinstall it and try to boot it”. More than a few times that would either resolve the issue or lead me to a point where I could apply a fix that was impossible prior to battery removal.

More laptop makers are now putting batteries in such a way that quick/easy removal is difficult, doubtless following in the path of numerous cell phone manufacturers.

humdee January 12, 2022 1:54 PM

@clive

The problem is that when malware makes itself felt in the way you describe it is impossible for the average user to differientate malware from just another bug. Maybe Apple’s walled garden makes it easier but I doubt it.

SpaceLifeForm January 12, 2022 4:03 PM

@ Kronos, ALL

Silicon Turtles

It has been my experience, that when pulling the battery is required, it is due to some kind of ACPI problem.

I would not use a device that requires a battery, but does not allow you to pull it.

Clive Robinson January 12, 2022 4:49 PM

@ SpaceLifeForm, Kronos, ALL,

It has been my experience, that when pulling the battery is required, it is due to some kind of ACPI problem.

“Advanced Configuration and Power Interface”(ACPI) was known to be a disaster before it happened getting on for thirty years ago. Originaly it was cooked up by a “me to” cabal of Intel, Microsoft and Toshiba to get “Plug and Pray” working and also alow some limited “hot swapping” (that still causes security nightmares, even though ACPI is supposedly under UEFI control these days).

ACPI’s design, even for the time was at best highly questionable, but don’t take my word on it,

“In November 2003, Linus Torvalds described ACPI as “a complete design disaster in every way”. In 2001, other senior Linux software developers like Alan Cox expressed concerns about the requirements that bytecode from an external source must be run by the kernel with full privileges, as well as the overall complexity of the ACPI specification”

OK they were being polite, but some were prepared to say rather more,

“Ubuntu founder Mark Shuttleworth has likened ACPI to Trojan horses. He has described proprietary firmware (ACPI-related or any other firmware) as a security risk, saying that “firmware on your device is the NSA’s best friend” and calling firmware (ACPI or non-ACPI) “a Trojan horse of monumental proportions”. He has pointed out that low quality, closed source firmware is a major threat to system security “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies.” As a solution to this problem, he has called for open-source, declarative firmware (ACPI or non-ACPI), which instead of containing executable code, only describes “hardware linkage and dependencies”.”

Which whilst safer is by no means perfect. The issue is that ACPI is way to complex needlessly and the code quality is realy atrocious. But realistically ACPI’s bells, whistles and black holes are mostly not actually required these days. But… it gets shoved in anyway along with more potential vulnerabiliries than you can realistically count…

Fredric January 12, 2022 6:04 PM

Could you not simply wait for the battery to run flat or would it avoid that too?

The obvious problem is figuring out how long to wait. If a user cannot know whether their phone is off, how would they know the battery’s dead? It hardly matters, though: “Not very practical” is quite the understatement, given that it could take months or years for a high-capacity lithium-ion battery to die. Not at full use, mind you, but how much power would it take to detect and record speech for example, and log onto the network every day or 2 to upload the highlights? (Don’t forget: since the invention of Siri, the phones have the ability to detect an interesting word/sound very efficiently.)

Clive Robinson January 12, 2022 9:44 PM

@ SpaceLifeForm,

You have to pull the mains. The caps must be drained.

Most modern desktops are “never off” if plugged into the mains, the PSU keeps the motherboard powered up. It’s the same with some printers.

The reason for this… is they are “made for business needs” or more correctly to cut staffing costs. So even if a user turns off their computer when they go home, come 2AM the network script runs and a wakeup signal gets sent down the wire[1]. So all the computers get booted up and the patches or what ever else gets downloaded to them…

It’s not fun to go into an office where over night an entire departments computers have been turned into power hungry paper weights, and all the users are on a tight deadline (accounts end of month is never good).

[1] It’s officially called “Wake on LAN” what I call it is NSFW,

https://en.m.wikipedia.org/wiki/Wake-on-LAN

jamez January 12, 2022 10:02 PM

the pinephone has 6 kill switches for its modem (lte & gps), wifi/bluetooth, mic, front camera, rear camera, and headphone jack. it also has a removable battery.
it’s still a pretty beta project–mine sure has its moments–but i love the idea.

lurker January 12, 2022 11:32 PM

@SpaceLifeForm, You have to pull the mains. The caps must be drained.

From the thread subject manufacturer, official instructions which I once had to apply to an Apple desktop machine (exact model and problem lost in fading neurons):
pull the mains,
pull the cmos battery,
wait thirty minutes,
reassemble, reboot.

Why do they think they know better nowadays?

Gert-Jan January 13, 2022 5:54 AM

Every extra mechanical switch adds cost and another point of failure, which means vendors are motivated to eliminate them to the max.

If there was a smartphone with mechanical switch for the microphone (and speakers) I would have bought it.

So it is only if enough users request it and are willing to spend their money on it, that vendors will support mechanically disconnecting the battery and/or mechanically disabling the radio (“airplane mode”) and/or mechanically disabling microphone, camera and speakers.

The fact that one of my phones has a removable battery is something I like very much. Hard to imagine that that was not used as a selling point.

Clive Robinson January 13, 2022 7:30 AM

@ Moderator,

I’ve just tried to reply to @Gert-Jan, however the system has claimed it is being held in moderation.

There are no “naughty-words” in it or links etc…

So I’m puzzled as to why it’s got held.

Freezing_in_Brazil January 13, 2022 2:17 PM

@ Gert-Jan

So it is only if enough users request it and are willing to spend their money on it, that vendors will support mechanically disconnecting the battery and/or mechanically disabling the radio (“airplane mode”) and/or mechanically disabling microphone, camera and speakers.

This is somwthing the Europeans could do by law [I mean, requiring that manufacturers clean-up their act, in the spirit of the GDPR, etc], don’t you think?

SpaceLifeForm January 13, 2022 6:34 PM

@ lurker

Why do they think they know better nowadays?

They don’t make capacitors like in the olden daze.

Solution: You can’t pull the battery!

Then the ACPI backdoor can persist.

Gert-Jan January 14, 2022 5:31 AM

So it is only if enough users request it …, that vendors will support mechanically …

This is something the Europeans could do by law, don’t you think?

Yes, they could. Similar to how they require all phone to be charged with the same connector plug.

But that’s not going to happen, because there is nothing inherently wrong with devices without such mechanical switches. This is something the market needs to sort out. Or rather, what the market has sorted out. I hope this changes in the future, but currently there is insufficient demand for it.

From a security point of view, a mechanical switch to (dis)connect the radio network is probably the most promising one. One that might actually get some traction with many companies, government agencies, etc. Of course, that requires that you can trust that the mechanical switch really has been implemented correctly (i.e. without software)

Andre January 14, 2022 5:54 AM

Apple decided not to directly warn users of the worst iPhone hack in history
128 million smartphones were infected via XCodeGhost in 2015 – the idea of an email notification was rejected. Why doesn’t Apple respond to such messages?

Clive Robinson January 14, 2022 9:31 AM

@ Gert-Jan, Freezing_in_Brazil, lurker, Moderator, ALL,

I did respond to you about switches in FMCE, but for some unknown reason it was held in Moderation.

The Moderator has not cleared it yet again for as yet unknown reason.

If it does not appear I can re-post in pieces to see what caused it to be pushed into the Moderation que.

George Dorn January 14, 2022 5:08 PM

@sle

<

blockquote>Yours solution works, but Lithium-Ion batteries dislike complete discharge, they tend to permanently loose capacity when fully discharged.

<

blockquote>

This is technically true, but you can’t make it happen through normal phone usage (including letting it drain to “0%”). Long before the battery gets near dangerously low levels, the BMS (a tiny circuit board built into the battery itself) will detect the low voltage and disconnect it. When your phone reports 0%, the battery is still near 3v, way above the level of discharge needed to cause damage.

null clam January 14, 2022 7:28 PM

General question –

Could software “switches” that aren’t necessarily as switched as they seem be used to infiltrate and exfiltrate information, eg. as sort of binary on/off registers ?

JonKnowsNothing January 14, 2022 9:57 PM

@null clam, @All

re: Could software “switches” that aren’t necessarily as switched as they seem be used to infiltrate and exfiltrate information, eg. as sort of binary on/off registers ?

Depending on where you sit in the stack of programs from circuit board to UI the command to LED(ON/OFF) depends on what’s underneath it.

There are a series of driver programs that are called to move up and down the stack. Exactly what each driver provides is not dependent on what any other driver provides or even within the same driver.

  DriverA LED(ON/OFF) DriverB LED(ON) DriverC LED(ON/OFF/BLACK)

  DriverA LED(ON/OFF) DriverA LED2(ON) DriverA LED3(ON/OFF/BLACK)

When you get down to the chip level there are spec data sheets that are supposed to tell you what that chip does and how and where to jab it to get it to do what you want. Often you are hitting some HEX address on the chip. More often spec sheet is out of date and you have fun doing it another way.

  HEX(0=OFF, +1=ON) if HEX(0) is broken then HEX((+1-1), (+1-2) = OFF)

So along the pathway, anything can be (and is) inserted to do all sorts of fun stuff. Some of it is intentional on the part of the DEV, or the CO and some of it is discovered by another that can make it dance to their own bagpipes.

  LOOK!! A running marquee!!!
  It’s blinking Morris Code.

Others might be able to give great details…

Clive Robinson January 15, 2022 8:03 AM

@ Moderator, Gert-Jan, SpaceLifeForm, JonKnowsNothing,

I have tried yet again to posted a response to “@Gert-Jan”

It was originally claimed by the blog to be held for moderation, but it has still not displayed either on this page or in 100 Comments.

So I re-posted it and got,

Duplicate comment detected; it looks as though you’ve already said that!

Obviously it’s not being displayed for some reason as that “already said” means it either has the post or a hash of it held internaly.

There is obviously something seriously up with the core display software of the blog software.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.