Fake Airplane Mode: A mobile tampering technique to evade detection

Jamf Threat Labs has developed a post-exploit persistence technique on iOS 16 which tricks the victim into thinking their device’s Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display

Airplane Mode icon and cuts internet connection to all apps except the attacker application. This enables the attacker to maintain access to the device even when the user believes it is offline.This technique has not yet been observed in the wild.

Has your Airplane Mode been tampered with?

As the name suggests, Airplane Mode is designed to allow passengers to safely use a mobile device during flight, turning off the wireless cellular features to avoid interference with critical flight equipment.

However, the use of Airplane Mode has expanded beyond travel and is used by some to preserve battery, and others as a way to disconnect from our always connected world. It has even been suggested as a meditation technique.

For those with cyber-paranoia and technophobia, putting your phone on Airplane Mode may be a useful psychological trick to help achieve peace of mind and a feeling of additional privacy.

But should you use Airplane Mode to protect your security and privacy?

Today we’re going to dive into the technology underlying Airplane Mode on iOS to demonstrate an approach that would allow a malicious actor to maintain a cellular network connection for an application, even when the user believes they have enabled Airplane Mode.

The Underlayer

We start by analyzing how Airplane Mode works. Two daemons carry the main task of switching Airplane Mode. SpringBoard takes care of changes on the UI, and CommCenter is responsible for operating the underlying network interface. Note that CommCenter is also responsible for managing the feature that allows users to “Block cellular data access for specific apps.

Creating an artificial Airplane Mode

In this section, we’ll show how we created an artificial Airplane Mode, keeping UI changes while preserving cellular connectivity for a selected application (which in an attack scenario would be the attacker’s malware they installed as part of a device exploit).

We start by following the console logs. Notice that when you switch on the Airplane Mode, the earliest relevant log appears to be the one found below, “#N User airplane mode preference changing from….”

We use this string to locate the code that references it in the isassembler. It’s a symbol-less C++ function found here:

Hoping that this function was early enough in the chain of calls that enable Airplane Mode, we successfully hooked and replaced it with an empty / do nothing function. The result was a fake Airplane Mode. Now, when the user turns on Airplane Mode, the device will not be disconnected from the cellular network and internet access will be uninterrupted.

Preserving the expected user experience Additional UI tweaks are required to make the attack look like the typical Airplane Mode experience. One small example was to dim the cellular icon and to prevent the user from interacting with it.

To accomplish this, we hooked two Objective-C methods and injected a piece of code that adjusts the cellular icon to pull off the intended effect. -[SBStatusBarStateAggregator

_noteAirplaneModeChanged] and -[CCUIModularControlCenterOverlayViewController

_beginPresentationAnimated:interactive:]

Appearing to disconnect the internet

After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet. The typical experience is a notification window that prompts a user to “Turn Off Airplane Mode”. To achieve this effect, we will utilize

the aforementioned CommsCenter feature to “Block cellular data access for specific apps”, and disguise it as Airplane Mode through the hooked function below.

The screenshots below show the spoofed user experience with the message that normally occurs from the “Block cellular data access for specific apps” feature on the left, and the result of hooking the notification window to look like the typical Airplane Mode message on the right.

Replacing the alert window is one thing, but how did we disconnect the internet for Safari without actually turning on airplane mode and affecting the entire device? After all, this is the most significant sign that airplane mode is on.

How does the “Cellular Data is Turned Off” alert window work?

Similar to the earlier icon manipulation, we discovered that the system UI Manager SpringBoard prompted the alert window after being notified by the CommCenter.Looking one step deeper, we concluded that CommCenter was notified by the kernel through a registered observer/callback function.

CommCenter`CellularUsagePolicyController::createNEConfigurationStore_sync

-> NetworkExtension.framework`

-[NEPathEventObserver initWithQueue:eventHandler:]

-> libnetwork.dylib`network_config_cellular_blocked_observer_create

These network_config_* functions internally call socket()/ioctl() to interact with the kernel:

network_config_cellular_blocked_observer_create

-> network_config_policy_observer_create

-> __network_config_policy_observer_create_block_invoke

-> network_config_setup_policy_event_watcher

-> socket(32, 3, 1)

-> ioctl(…)

We leveraged `fsevents`, and observed that the CommCenter daemon also manages a SQL database file /private/var/wireless/Library/Databases/CellularUsage.db. This database records the cellular data access status of each app.

The value of “flags” will be set to 8 if an application is blocked from accessing cellular data. This is useful as we can read a list of application bundle IDs from this SQL database file and obtain their preset value.

Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code. When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a Backdoor Trojan.