Most people think that turning off their iPhone - or letting the battery die - means that the phone is, well, off. The thing is, this isn't quite true. In reality, most of the phone's functionality has ended, but there are components that mindlessly continue a zombie-like existence, for the most part unbeknownst to the user.
Even when the battery dies in your iPhone, it's not truly dead. The phone will shut itself down to conserve the last little bits of power, and will enter a low power mode that is very different from the Low Power Mode that is offered when the battery drops to 20%, and that is found in the battery settings. These last trickles of power are used to keep certain limited functionality active for some time. The same is true of turning the phone off, except that this functionality can stay active much longer with a battery closer to full.
What is this functionality? Most notably, Express Cards - payment cards used with public transit systems - can continue to work in such a state. So can things like digital home or car keys, which seems logical. After all, you don't want to get locked out just because your iPhone battery died!
More surprising is that the iPhone's Find My capabilities continue to function. This means that the phone's location can still be tracked, in a manner similar to how AirTagswork, even after it has been turned off.
Is this a problem or not a problem?
Much ado has been made in the past of the use of things like Express Cards, which can be used without authentication. Someone could potentially jostle you in a public place and scan your phone with a fake public transit payment terminal, thus skimming money off the card you have set as an Express Card. That's 100% possible, but not really all that likely.
Not to mention that there's a simpler scenario. Someone could pull the same trick with a normal payment terminal, rather than one pretending to be a public transit terminal, and the tap-to-pay cards in your wallet. That's a much simpler scenario with a much higher probability of success.
Similarly, digital keys could be used to access your car or your home, if someone stole your phone. Of course, that's assuming they could figure out where your car or your home are from a locked phone, which is a pretty big "if" unless the thief had some prior knowledge.
In this regard, your phone doesn't really pose much more of a risk than other things you'd have on your person. Of course, this is highly dependent on circumstances. For example, stealing a phone left on a table while the owner's not paying attention would be a lot easier than stealing a wallet and keys from someone's pocket. On the other hand, if a thief snatches someone's purse or backpack, they may get phone, keys, and wallet, and the phone could easily be the least useful of the three.
Find My, on the other hand, is a bigger problem.
What's the problem with Find My?
The major use cases for Find My are for you to find a lost device, or for someone you've shared your location with to find you. So what's the problem? I mean, these are situations where you fully intend for your phone to be trackable, right? Unfortunately, there are scenarios that are not so beneficial.
Consider stalking or abuse scenarios where the stalker knows your Apple ID credentials, or has been given - through stealth or bullying - the ability to see your location. This is often the case with intimate partner abuse, for example. If you are in such an abusive situation, you may be under the false impression that turning your phone off will temporarily stop the tracking. Alas, that is not the case, and this could be a painful lesson to learn... both literally and figuratively.
However, there's a possibility of still worse problems, like malware.
Wait... what?! Did you say malware?
Indeed. German researchers recently foundthat the Bluetooth firmware, responsible for managing the Bluetooth Low Energy (BLE) communication upon which Find My relies, is not cryptographically signed. Since the firmware is not signed, that means that modifications to the firmware cannot be detected without comparing the firmware to a known-good copy of the firmware.
Since BLE communication continues when the phone is off, the researchers found that there is a theoretical possibility that malware on the device could modify the Bluetooth firmware, thus installing malicious code that could continue to run even when the phone appears to be off. The most likely use case for such malware would be to use the BLE tracking capabilities to monitor the phone's location.
Now, before you go chucking your phone in the garbage or smashing it with a hammer, let's keep in mind that this is all theoretical at the moment. Compromising the firmware would require a jailbreak, which is not an easy thing to accomplish remotely. Physical access lowers the difficulty level, but it's still not likely that this technique could be used by most adversaries.
How can I protect myself?
If you're in a situation where an abuser is monitoring your location, you should be aware that turning off your phone will not stop the tracking. For those in such situations, we advise seeking help, as disabling the tracking could have bad consequences. If you need to not be tracked for a while, leave your phone in a location where it's reasonable to expect you might spend some time.
When it comes to malware, there's not much to worry about at present. There's no known malware using BLE firmware compromise to remain persistent when the phone is "off." Further, unless you are likely to be targeted by a nation-state adversary - for example, if you are a human rights advocate or journalist critical of an oppressive regime - you're not likely to ever run into this kind of problem. (If that ever changes, you can be sure we'll cover that here!)
If you actually are a potential target for a nation-state adversary, don't trust that your phone is ever truly off. In such a case, a Faraday bag, or a low-tech flip phone, might be a good investment!