ZecOps writes about “NoReboot,” the ultimate persistence bug that can trick the user into thinking the device has been shut down. The security website calls it, “a bug that cannot be patched because it’s not exploiting any persistence bugs at all – only playing tricks with the human mind.”
The NoReboot Bug
First, the team mentions the various ways we can tell that the iPhone is powered on:
- Ring/Sound from incoming calls and notifications
- Touch feedback (3D touch)
- Vibration (silent mode switch triggers a burst of vibration)
- Screen
- Camera indicator
NoReboot can disable those indicators while keeping the iPhone running. The article goes into technical details, and a video demonstration can be found here:
It starts by hijacking the shutdown event by injecting code such as [FBSSystemService shutdownWithOptions:]. This interferes with SpringBoard, the part of the system responsible for the Home Screen. With this interference, the device no longer sends a shutdown signal to SpringBoard. Instead, it tells SpringBoard and backboardd to trigger the injected code.
The spinning wheel animation is hidden with [[BKSDefaults localDefaults]setHideAppleLogoOnLaunch:1]. “Because SpringBoard is responsible for responding to user behavior and interaction, without it, the device looks and feels as if it is not powered on.”
It doesn’t really sound like there is a fix for this; indeed, as mentioned the website says this is a bug that can’t be patched. The team shared the NoReboot POC source code here, as a proof of concept. ZecOps also says that its software can help people inspect their device, and a free trial can be had here.