Fake shutdown on iPhones allows attackers to snoop via camera & microphone

Overview

Researchers have disclosed a new technique that can be leveraged by threat actors in order to fake a shutdown or reboot of iPhones. Traditionally, to clear any malware running in memory of the device, an iPhone could be shutdown or rebooted in order to remove it. By faking the shutdown or reboot, an attacker can prevent the malware from being removed – thereby maintaining a level of persistence while allowing them to continue to listen and watch via the device’s microphones and cameras, and receive the data via the device’s live network connection.

Impact

By preventing and simulating an iOS shutdown or rebooting operation it is possible to mislead a user into thinking that the device’s features have been disabled and/or that any malware has been removed. However, a malicious actor would still be able to leverage the device’s features in order to gather information on an individual and their surroundings.

Products Affected

iOS devices

Containment, Mitigations & Remediation

The attack, also known as “NoReboot”, does not exploit any flaws on the iOS and instead relies on human-level deception/social engineering in order to get the user into navigating to website under their control. As such it cannot be patched by Apple.

Most apps like Google Hangout, Zoom, Skype, etc. give you the option to make and receive calls by logging in to their site on your web browser without downloading any special software or installing additional apps.

Mitigations can be implemented by preventing access to a device’s resources, such as the camera and microphone, by applications such as Safari or other web browsers.
To check your device permissions, go to:
Settings > Privacy > Camera > Tap the toggle next to an app to revoke permission. The same can be repeated for Microphone options.

Indicators of Compromise

There are currently no defined IoC’s such as known malicious sites, however, depending on the configuration of the device, a lack of a requirement to input a SIM PIN or Passcode following a false restart, may be an indication to the user that something is unusual.

Threat Landscape

The use of the browser as a way of communicating via corporate devices is a popular one as it affords users the ability to communicate via preferred technologies or vendors without having to install applications which they may not have the permissions or ability to do. It is therefore imperative companies and staff are aware and vigilant with regards to how these devices are used as this malware could potentially cause data breaches which can affect the company, their customers and the individuals.

Mitre Methodologies

T1123 – Audio Capture
T1125 – Video Capture
T1176 – Browser Extensions
T1204 – User Execution

Further Information

Fake shutdown simulation using NoReboot persistence technique
The Hacker News
Bleeping Computer