Wednesday 4 June 2014

How the NSA Could Bug Your Powered-Off iPhone, and How to Stop Them


Photo: Josh Valcarcel/WIRED
Just because you turned off your phone doesn’t mean the NSA isn’t using it to spy on you.
Edward Snowden’s latest revelation about the NSA’s snooping inspired an extra dose of shock and disbelief when he said the agency’s hackers can use a mobile phone as a bug even after it’s been turned off. The whistleblower made that eye-opening claim when Brian Williams of NBC Nightly News, holding his iPhone aloft during last Wednesday’s interview, asked, “What can the NSA do with this device if they want to get into my life? Can anyone turn it on remotely if it’s off? Can they turn on apps?
“They can absolutely turn them on with the power turned off to the device,” Snowden replied.
Snowden didn’t offer any details on this seemingly magical feat. But a group of particularly cunning iPhone hackers say it’s possible. They also say you can totally and completely turn off your iPhone so no one—not even the NSA—can use it to spy on you.

Your Phone Is Playing Dead

Like any magic trick, the most plausible method of eavesdropping through a switched-off phone starts with an illusion. Security researchers posit that if an attacker has a chance to install malware before you shut down your phone, that software could make the phone look like it’s shutting down—complete with a fake “slide to power off” screen. Instead of powering down, it enters a low-power mode that leaves its baseband chip—which controls communication with the carrier—on.
This “playing dead” state would allow the phone to receive commands, including one to activate its microphone, says Eric McDonald, a hardware engineer in Los Angeles. McDonald is also a member of the Evad3rs, a team of iPhone hackers who created jailbreaks for the two previous iPhone operating systems. If the NSA used an exploit like those McDonald’s worked on to infect phone with malware that fakes a shutdown, “the screen would look black and nothing would happen if you pressed buttons,” he says. “But it’s conceivable that the baseband is still on, or turns on periodically. And it would be very difficult to know whether the phone has been compromised.”
“If you’re going to be paranoid, you might as well be super-paranoid.”
After Snowden told Williams his powered-down phone could be used as an eavesdropping tool, security consultant Robert David Graham immediately responded with a blog post arguing the trick is impossible. He soon amended the post to concede the NSA could, in fact, alter a phone ahead of time to enable that ultra-sneaky bugging. Its methods could range from a web exploit, like the 2011 Jailbreakme hack that disassembled the iPhone’s security restrictions when users visited a carefully crafted webpage, to actually intercepting shipped phones before they reach users. That latter possibility might have sounded apocryphal until journalist Glenn Greenwald published photos last month showing the NSA opening boxes of Cisco routers to insert backdoors into the gear. “With physical access, they could change the chips, the memory, the ROMs, the power system, anything they want,” Graham says.
But paranoid users seeking temporary privacy from NSA uber-hackers needn’t resort to Snowden’s famous precaution of putting phones in the fridge. Instead, McDonald suggests users turn off their iPhones by putting them into device firmware upgrade (DFU) mode, a kind of “panic” state designed to let the phone reinstall its firmware or recover from repeated operating system crashes. In DFU mode, says McDonald, all elements of the phone are entirely shut down except its USB port, which is designed to wait for a signal from iTunes to install new firmware. “It’s like an innocent little kid in kindergarten,” says McDonald. “It doesn’t know how to turn on the lights or the sound, it only knows how to turn on the USB port.”
Don’t worry: It’s easy to get your phone out of that state with no ill effects.

Total Radio Silence

To enter DFU mode, plug your iPhone in any power outlet or computer USB port. Then hold the power button. After three seconds, start holding the home button, too. Keep both buttons pressed for 10 seconds, then release the power button while continuing to hold the home button for another ten to fifteen seconds.
That intermediate step of holding the power button and the home button together, McDonald says, sends a “hardware reset” to the phone’s power management unit that overrides any running software, including any malware designed to fake a shutdown. “It’s a feature burned into the hardware,” says David Wang, another iPhone hacker and member of the Evad3rs. “As far as I know, there’s nothing that can stop that hard power-off.”
If you’ve successfully entered DFU mode, the phone won’t turn on when someone holds the power button, nor will it power up when the phone is plugged into a power source. With your phone in this temporary undead state, you can go about your private conversation with the closest thing possible to full assurance that your phone isn’t listening. To power the phone back on, hold the the power button and home button together until the Apple logo appears.
Here’s a video tutorial on putting your iPhone into DFU mode:
https://www.youtube.com/watch?feature=player_embedded&v=ujhBn9v3zOo
An easier way of entering complete shutdown, says Wang, is a straightforward hardware power-off—simply hold the home and power buttons simultaneously for 10 seconds without the DFU button sequence. “If the phone is in such a low-level state, I don’t see how it’s possible for anything to interact with the baseband,” he says.
But McDonald cautions that unless you go into DFU mode, the phone partially reboots before turning off, as shown by the Apple logo appearing before the screen goes dark. During that brief window, the bootloader—a portion of the iPhone’s software that loads before the operating system—awakes for a second or so, long enough that any highly advanced malware might be able to take over, spoof that dark screen shutdown and leave your phone vulnerable. “If you’re going to be paranoid, you might as well be super paranoid,” McDonald reasons.
Of course, McDonald and Wang both caution that if you enter DFU mode incorrectly—say, by screwing up the timing of the shutdown procedure—it’s possible for malware to detect your intention and fake even that obscure state of semi-death. But if the button sequence is performed correctly, no malware will be able to override it. And even imagining malware clever enough to anticipate and impersonate DFU mode starts to stretch credibility, says McDonald. “At that point” he says, “you’re talking about a countermeasure to a countermeasure to a countermeasure.”
Countermeasures against countermeasures are exactly the stock-in-trade of the world’s best hackers. But even paranoia has its limits. At some point, it may best to give up the game and leave the phone at home—or in the nearest fridge.