Artificial Airplane Mode in iOS 16 exploits user information

Security researchers have detailed a new method for maintaining control over an Apple device, even if the user believes it’s offline, in iOS 16.

In a glance

• The technique deceives you by giving them the impression that Airplane Mode is active, while in actuality, attackers, following a successful device exploit, implant a fake Airplane Mode that modifies the UI to display the icon. 
• It also disconnects internet access for all apps except the attacker’s application, as described by researchers from Jamf Threat Labs, Hu Ke, and Nir Avraham.
• Airplane Mode, which disables wireless features, blocks WiFi, cellular data, Bluetooth connections, and call/text functions.

“When the user turns on Airplane Mode, the network interface pdp_ip0 (cellular data) will no longer display ipv4/ipv6 ip addresses,” the researchers prompted. “The cellular network is disconnected and unusable, at least to the user space level.”

Jamf Analysis

The strategy developed by Jamf aims to create a façade of Airplane Mode while covertly sustaining a cellular network connection for a rogue app. The deception is executed by the CommCenter, modifying the UI via the SpringBoard, which oversees icon changes.

“The attacker aims to simulate Airplane Mode’s UI adjustments, yet maintain cellular connectivity for a malicious payload delivered and installed separately on the device.”

In practical terms, enabling Airplane Mode without WiFi should lead to no internet connection when opening Safari. However, the trick blocks specific app’s cellular data access, mimicking Airplane Mode via CommCenter, using a manipulated function to alter the appearance of the alert window.

The CommCenter also contains an SQL database that records app (bundle ID) cellular access status. A flag is set to “8” when an app is blocked.

Watch the video PoC of the exploit. 

“When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a backdoor trojan.”

This technique doesn’t exploit an OS vulnerability but presents a way for post-compromise persistence, as confirmed by Apple.

Can we secure it offline?

The innovative post-exploit persistence technique discovered on iOS 16 highlights the ever-evolving landscape of cybersecurity challenges. The method’s ability to deceive us by mimicking Airplane Mode while secretly maintaining a connection underscores the creativity of malicious actors. 

This discovery emphasizes the importance of continuous vigilance and adaptation in cybersecurity. As technology advances, defenders and attackers continue to find new avenues to explore, making dynamic and proactive approaches the basics to security.