DT Intro: We've all heard the stories recently about how Apple phones are basically never off even when they are...well, Matthew Green's tweetstorm here provides the proof!

Matthew Green (@matthew_d_green)
I teach cryptography at Johns Hopkins. Screeching voice of the minority.

“iPhone Remains Findable After Power Off” what I can’t keep up anymore.

So I guess “power off” doesn’t mean “off” anymore, it means the device stays on and does some kind of low-power nearfield communication. I’m trying to decide how I feel about this.

The off switch is buried in the “Find My” settings dialog, weirdly in a tab called “Find My Network” which might make you think it’s intended to… find your network… but actually I think this is some kind of branding gone wrong.

I wonder what the attack surface of their “powered off you can only find the phone” mode looks like. I hope it doesn’t use weird exploitable SSL libraries that haven’t been updated since 2012.

Too much functionality please stop

Drew Laughlin (@andrew_i_am)
I think that setting might also prevent your phone from serving as a relay for other air tag location pings

In other news I updated my phone to iOS 15 and put it down to charge last night. When I woke up it was hot, and my battery has gone from 100% to 15% since 7:30am. I gotta get off this ecosystem.

Wow, this thread somehow inspired an insane comment thread on HN which is 50% people saying they’ve known about this feature for a year and only an idiot would be surprised by it, 50% people expressing surprise that the feature even exists. news.ycombinator.com/item?id…

For the record (inspired by the many excellent comments on HN) I have no specific beef with this feature: I’d just like to know how it works. I think a proper explanation of it would be security-relevant and I would expect to see something about it in the iOS Security Guide.

A little bird told me the phone writes a series of pre-computed cryptographic beacons to the UWB chipset, but little birds are no substitute for official documentation.

Wow, ok! This post does some proper reverse engineering and shows that the “Always On Processor” interfaces with the Bluetooth chip to implement this functionality. Great to have an answer. naehrdine.blogspot.com/2021/…

My tweet above (two higher in the thread) was apparently wrong. The Find My keys get exported to the Bluetooth chipset. I still wonder how exploitable the whole mess is while the phone is off. Should we care?

Uh, yeah.

Ok, update: the Find My beacons are spooled out to storage, rather than the keys themselves. Which presumably are safe in the SEP. Thanks @naehrdine for the second look. (Also anyone who cares about Apple RE should follow @naehrdine)

You have been warned!