Pierluigi Paganini
December 06, 2023
Researchers from Jamf Threat Labs devised a new post-exploit tampering technique to trick users that their compromised iPhone is running in Lockdown Mode while they are performing malicious activities.
The researchers pointed out that the issue is not a flaw in the feature or an iOS vulnerability. A malware. The good news is that this technique has not yet been observed in the wild.
“While Lockdown Mode effectively reduces the attack surface on an iOS device, it’s important to remember that once a device is already compromised, Lockdown Mode doesn’t stop malware from operating.” reads the post published by the researchers. “Lockdown Mode doesn’t function as antivirus software, it doesn’t detect existing infections, and it doesn’t affect the ability to spy on an already compromised device.”
The Lockdown Mode was first introduced by Apple in September 2022 to protect its users against “highly targeted cyberattacks.
However, if the iPhone was previously compromised, the security feature cannot block the malware from running in the background, whether the user activates Lockdown Mode or not
Upon turning on the feature in the Settings app, the method -[PUILockdownModeController setLockdownModeGloballyEnabled:] is triggered. The -[PUILockdownModeController setLockdownModeGloballyEnabled:] is an objective-C method, the researchers exmpained that it is possible to use the method_exchangeImplementations Method Hooking technique to replace its content.
The researchers’ approach is simple, when the user activates Lockdown Mode, a file named /fakelockdownmode_on is generated as an indicator, triggering a userspace reboot. The researchers also intercepted other functions, including -[PUILockdownModeController lockdownModeEnabled()], to simulate the presence of this file.
The device did not reboot and allowed the researchers to inject code to maintain adaptable control over the Lockdown Mode. The researchers pointed out that even malware lacking a persistence mechanism can persistently run and spy on the user.
An attacker could also manipulate the Lockdown Mode on the Safari web browser allowing to view PDF files, which is not possible when the security feature is enabled.
The researchers published a video PoC to show how the technique works. A user activates LockdownMode in Settings, but the feature is not activated because it is still possible to view PDF files in Safari.
In August 2023, Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that trick victims into believing that the device is in functional Airplane Mode. In reality, the researchers plant an artificial Airplane Mode that modifies the UI to display Airplane Mode icons and cuts internet connection to all apps except the rogue attacker’s application. Using this trick, the attacker can maintain access to the mobile phone even when the user believes it is offline. The researchers pointed out that this technique has not yet been used in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Apple)
