Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that trick victims into believing that the device is in functional Airplane Mode. In reality, the researchers plant an artificial Airplane Mode that modifies the UI to display Airplane Mode icons and cuts internet connection to all apps except the rogue attacker’s application. Using this trick, the attacker can maintain access to the mobile phone even when the user believes it is offline. The researchers pointed out that this technique has not yet been used in attacks in the wild.
The researchers focused on the way the Airplane Mode works and discovered that two daemons are used to switch the mode. The daemon SpringBoard takes modifies the UI, and CommCenter is used to interact with the underlying network interface. The daemon CommCenter is also used to block cellular data access for specific apps.
The researchers demonstrated how to create a fake Airplane Mode manipulating the UI, while preserving cellular connectivity for a selected application.
The experts analyzed the console logs searching for log related to the Airplane Mode activation and found the string “#N User airplane mode preference changing from…”. Then the experts used the string to find the piece of code that is responsible for the switch.
“Hoping that this function was early enough in the chain of calls that enable Airplane Mode, we successfully hooked and replaced it with an empty/do nothing function.” reads the post published by the experts. “The result was a fake Airplane Mode. Now, when the user turns on Airplane Mode, the device will not be disconnected from the cellular network and internet access will be uninterrupted.”
The experts also used additional UI tweaks to make the attack look like the typical Airplane Mode experience, such as dimming the cellular icon and preventing the user from interacting with it.
“After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet.” continues the report. “The typical experience is a notification window that prompts a user to “Turn Off Airplane Mode”. To achieve this effect, we will utilize the aforementioned CommsCenter feature to “Block cellular data access for specific apps,” and disguise it as Airplane Mode through the hooked function below.”
The researchers pointed out that the operating system kernel notifies the CommCenter via a callback routine. Then the daemon notifies the SpringBoard to display the pop-up.
The CommCenter daemon manages a SQL database that records the cellular data access status of each app.
The value of “flags” will be set to 8 if an application is blocked from accessing cellular data, this means that it is possible to use this info to selectively block/allow an app to access networks.
“Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code. When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a Backdoor Trojan.” concludes the report.
Below is a video PoC of the exploit:
(SecurityAffairs – hacking, Apple iOS 16 exploit)