• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Mobile
  • Experts devise an exploit for Apple iOS 16 that relies on fake Airplane Mode

Experts devise an exploit for Apple iOS 16 that relies on fake Airplane Mode

Pierluigi Paganini August 17, 2023

Researchers detailed a new exploit for Apple iOS 16 that can allow attackers to gain access to a device even when the victim believes it is in Airplane Mode.

Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that trick victims into believing that the device is in functional Airplane Mode. In reality, the researchers plant an artificial Airplane Mode that modifies the UI to display Airplane Mode icons and cuts internet connection to all apps except the rogue attacker’s application. Using this trick, the attacker can maintain access to the mobile phone even when the user believes it is offline. The researchers pointed out that this technique has not yet been used in attacks in the wild.

The researchers focused on the way the Airplane Mode works and discovered that two daemons are used to switch the mode. The daemon SpringBoard takes modifies the UI, and CommCenter is used to interact with the underlying network interface. The daemon CommCenter is also used to block cellular data access for specific apps.

Airplane mode exploit ios

When the user turns on Airplane Mode, the network interface pdp_ip0 (cellular data) will no longer display IPv4/IPv6 IP addresses, and of course, the cellular network is offline.

The researchers demonstrated how to create a fake Airplane Mode manipulating the UI, while preserving cellular connectivity for a selected application.

The experts analyzed the console logs searching for log related to the Airplane Mode activation and found the string “#N User airplane mode preference changing from…”. Then the experts used the string to find the piece of code that is responsible for the switch.

“Hoping that this function was early enough in the chain of calls that enable Airplane Mode, we successfully hooked and replaced it with an empty/do nothing function.” reads the post published by the experts. “The result was a fake Airplane Mode. Now, when the user turns on Airplane Mode, the device will not be disconnected from the cellular network and internet access will be uninterrupted.”

The experts also used additional UI tweaks to make the attack look like the typical Airplane Mode experience, such as dimming the cellular icon and preventing the user from interacting with it.

“After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet.” continues the report. “The typical experience is a notification window that prompts a user to “Turn Off Airplane Mode”. To achieve this effect, we will utilize the aforementioned CommsCenter feature to “Block cellular data access for specific apps,” and disguise it as Airplane Mode through the hooked function below.”

Airplane mode exploit ios

The researchers pointed out that the operating system kernel notifies the CommCenter via a callback routine. Then the daemon notifies the SpringBoard to display the pop-up.

The CommCenter daemon manages a SQL database that records the cellular data access status of each app.

The value of “flags” will be set to 8 if an application is blocked from accessing cellular data, this means that it is possible to use this info to selectively block/allow an app to access networks.

“Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code. When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a Backdoor Trojan.” concludes the report.

Below is a video PoC of the exploit:

https://vimeo.com/user100736884

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple iOS 16 exploit)


facebook linkedin twitter

AirPlane Mode Apple iOS Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
Sophos fixed two critical Sophos Firewall vulnerabilities
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT