Recent findings from cybersecurity researchers have unveiled a sophisticated post-exploit technique on iOS 16 that could allow attackers to maintain covert access to Apple devices, even when users believe their devices are disconnected. This method leverages a deceptive form of Airplane Mode, manipulating the user interface to mislead victims while ensuring that rogue applications retain network access.
As reported by Jamf Threat Labs researchers Hu Ke and Nir Avraham, the technique deceives users into believing their Airplane Mode is active. This is achieved through an artificial Airplane Mode created by the attacker, allowing only their malicious application to maintain internet connectivity while restricting all other network functionalities. The researchers elaborated on their findings in a report shared with The Hacker News.
Airplane Mode is designed to disable a device’s wireless communications, which stops it from connecting to Wi-Fi, cellular data, or Bluetooth, and blocks the ability to send or receive calls and messages. However, the method discovered by Jamf presents a scenario where the UI indicates Airplane Mode is active, while in reality, a malicious actor can exploit a persistent connection for nefarious purposes.
The essence of the attack is to create an artificial state that preserves the visual cues of Airplane Mode while facilitating cellular access for a malicious component already installed on the device. When a user enables Airplane Mode, standard behavior would lead to Safari and other apps displaying no internet connection; instead, this ruse permits continuous operation of the connected rogue application.
The researchers pointed out that disabling the network interface on iOS, particularly through the pdp_ip0 layer, effectively hides any active network activity from the user. While users remain unaware of the lack of true disconnection, the underlying system utilizes the CommCenter to manage network data access and the SpringBoard for UI presentation, creating a seamless and deceptive experience for victims.
In executing this attack, the CommCenter daemon is essential as it can block cellular data access for designated applications. This manipulation is facilitated through a hooking technique that alters notification prompts, misleading users into believing that Airplane Mode is fully functional, while it remains active solely for the malicious payload.
The method appears to fall under multiple categories identified in the MITRE ATT&CK framework. Initial access may have been gained through a different vector, but once inside, the technique illustrates persistence, as the attacker maintains a foothold through disguised connectivity. This scenario showcases aspects of privilege escalation as well, where malicious processes bypass expected restrictions designed to protect user data and device integrity.
Furthermore, an SQL database within the CommCenter tracks the data access statuses of installed applications, setting blockage flags that can be altered to allow or deny specific apps connectivity, while still presenting a mask of normalcy to the end-user. The researchers concluded that, when effectively employed, this fake Airplane Mode mimics standard functionality well enough to hide malicious operations that would otherwise be evident to a vigilant user.
