BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.recon.cx//2022//BB3NMJ
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-2022-CWVB8J@cfp.recon.cx
DTSTART;TZID=EST:20220605T163000
DTEND;TZID=EST:20220605T170000
DESCRIPTION:After power off\, modern iPhones keep their wireless chips on. 
 Find My advertisements are sent by the Bluetooth chip upon user-initiated 
 and automated low-power shutdown since iOS 15. Less noticeable to most use
 rs\, Apple introduced a Digital Car Key 3.0 express mode\, also available 
 after low-power shutdown for up to 5 hours. This is implemented with a Blu
 etooth GATT service for initial detection\, an Ultra-wideband (UWB) module
  for fine ranging\, and an applet in the NFC chip's secure element managin
 g access to cryptographic keys. While these are interesting features for m
 ost end-users\, this means that high-value targets like journalists can no
  longer trust their iPhone to be switched off.\n\nIn this talk\, we show h
 ow this is implemented in hardware\, revealing that this has been planned 
 at least since designing the iPhone 11 hardware. Then\, we dig deeper into
  the most recent Bluetooth firmware present in the iPhone 12 and 13. We ma
 ke modifications to the Bluetooth firmware and the InternalBlue framework\
 , allowing analysis\, debugging\, but also installing stealthy low-power m
 alware. The latest firmware diverges a lot from older firmware with leaked
  symbols. We demonstrate how to match the most important handlers anyway t
 o learn which features are enabled in Apple's low-power Bluetooth firmware
 \, which parameters can be changed in the stock firmware\, and which capab
 ilities could be added by malware.
DTSTAMP:20251222T223243Z
LOCATION:Grand Salon
SUMMARY:When Wireless Malware Stays On After Turning Off iPhones - jiska
URL:https://cfp.recon.cx/2022/talk/CWVB8J/
END:VEVENT
END:VCALENDAR