Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and main access to an Apple device even when the victim believes it is offline.
The method “tricks the victim into thinking their device’s Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application,” Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News.
Airplane Mode, as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages.
The approach devised by Jamf, in a nutshell, provides an illusion to the user that the Airplane Mode is on while allowing a malicious actor to stealthily maintain a cellular network connection for a rogue application.
“When the user turns on Airplane Mode, the network interface pdp_ip0 (cellular data) will no longer display ipv4/ipv6 ip addresses,” the researchers explained. “The cellular network is disconnected and unusable, at least to the user space level.”
While the underlying changes are carried out by CommCenter, the user interface (UI) modifications, such as the icon transitions are taken care of by the SpringBoard.
The goal of the attack, then, is to devise an artificial Airplane Mode that keeps the UI changes intact but retains cellular connectivity for a malicious payload installed on the device by other means.
“After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet,” the researchers said. “The typical experience is a notification window that prompts a user to ‘Turn Off Airplane Mode.'”
To pull off the ruse, the CommCenter daemon is utilized to block cellular data access for specific apps and disguise it as Airplane Mode by means of a hooked function that alters the alert window to look like the setting has been turned on.
It’s worth noting that the operating system kernel notifies the CommCenter via a callback routine, which, in turn, notifies the SpringBoard to display the pop-up.
A closer examination of the CommCenter daemon has also revealed the presence of an SQL database that’s used to record the cellular data access status of each app (aka bundle ID), with a flag set to the value “8” if an application is blocked from accessing it.
“Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code,” the researchers said.
“When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a backdoor trojan.”
