Since iOS 15, Bluetooth remains active if you turn off your iPhone completely. This is done in order to be able to find a lost iPhone with empty battery and to be able to use features such as Express Cards and Car Key on a device with a dead battery. However, the Bluetooth firmware is not signed and not encrypted, the researchers from TU Darmstadt report. This makes it possible to modify the unsecured Bluetooth firmware and send it to the phone. The firmware gains access to the Secure Enclave, the most secure part of the phone. Because the iPhone itself is turned off, this is no longer under control.
New functions such as CarKey require that Bluetooth, NFC and Ultra Wideband remain active, even if the battery is empty or the device is switched off. According to the researchers, these functions remain active for five hours after turning off the iPhone. Apple itself doesn't give any details about it. We do know that the Bluetooth firmware is not signed and encrypted. Both are the case with NFC and with Ultra Wideband there is a dispute: the firmware is signed, but not encrypted.
The researchers believe that Apple should make a physical switch that can turn off the power from the battery, making the mentioned functions inactive in one fell swoop. But that's something you might not want: the low power mode or power reserve mode can also help you out if you can't find your car key. The researchers will elaborate on their discoveries at a conference this week in Texas.