Researchers have figured out how to manipulate the iPhone user interface to feign airplane mode, while secretly maintaining Internet connectivity.
In a report published this week, Jamf Threat Labs highlighted the code controlling various elements of iOS 16’s airplane mode experience, and how they can be manipulated in order to merely simulate the real thing. Mobile device attackers could use this sort of trick post-exploitation, they say, to enable 24/7 persistence in a target device with the user none the wiser.
Michael Covington, vice president of portfolio strategy at Jamf, puts it simply: “Think of it as a different form of social engineering attacks,” he says, “tricking the user into believing something is true that that isn’t.”
How to Hack Airplane Mode
There are two particular daemons that handle the switch to airplane mode. “SpringBoard” makes changes to the UI, and “CommCenter” is responsible for state changes in the underlying network interface.
“What we were able to do was hook in the CommCenter, and replace the code that would normally disable those network interfaces with dummy code that didn’t actually make the changes to the device,” Covington explains. “It’s about allowing the UI change to take place as soon as the user taps the button, but not allowing the subsequent calls into the network substrate to proceed.”
Decoupling SpringBoard from CommCenter was enough to defang the airplane mode button, but there are other elements of the airplane mode experience that needed to be accounted for as well. So, for example, the researchers inserted code to dim the Control Center Wi-Fi button.
Next, they discovered a database file — http://private/var/wireless/Library/Databases/CellularUsage.db. — managed by CommCenter, which manages the cellular and Wi-Fi access to each app. By simply changing a single parameter, they successfully blocked connectivity to Safari, without affecting the rest of the device.
Implications of iPhone Manipulations
To perform any of the aforementioned actions would require total control over a host device. Therefore, these techniques are only applicable for mobile device hackers post-exploitation. “We think of this as the way that an attacker — once they get an initial toehold — could do things like surveillance, and move software on and off the device, at a time when the user is unsuspecting,” Covington says.
But the main idea for defenders now is to get a clearer picture of what future mobile device compromises might look like. “We’re interested in collecting all of the artifacts that would get left behind during a sequence of attacks. That helps make our detections better, and it could even potentially lead to improved defenses down the road, once you can leverage this knowledge into some kind of an intelligent detection tool,” Covington says. “I would add these kinds of UI hacks alongside some of the techniques that we’ve already got, and use it in an ever-growing list of things to look out for to potentially indicate that a device has been compromised.”