Friday, August 18, 2023

Post-Exploit Fake Airplane Mode

Jamf Threat Labs:

Jamf Threat Labs developed a post-exploit persistence technique on iOS 16 that falsely shows a functional Airplane Mode. In reality, after successful device exploit the attacker plants an artifical Airplane Mode that edits the UI to display Airplane Mode icons and cuts internet connection to all apps except the attacker application. This enables the attacker to maintain access to the device even when the user believes it is offline.


To accomplish this, we hooked two Objective-C methods and injected a piece of code that adjusts the cellular icon to pull off the intended effect.


Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code. When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a Backdoor Trojan.

Via Guilherme Rambo:

“Here’s how we hacked a hacked device”

Saagar Jha:

I’m going to pick on @iMore for a moment. They definitely aren’t the only site doing it, but they do happen to do basically everything wrong here, even if they didn’t mean to.


@JamfSoftware researchers did not find an exploit. They presented their idea of a potential post-exploit technique. It’s not that this has “yet to be observed in the wild” but more that it’s something they created as a thought experiment.


To have this kind of access, an attacker has already completely pwned your system. Again, this is a post-exploit technique. It’s definitely a somewhat amusing one but 100% not something that works by itself.

John-Anthony Disotto:

When asked if there was any fix to this Airplane Mode threat users can take advantage of, Michael Covington, VP of Strategy at Jamf told us no (as of yet), but said, “Users should be on the lookout for unusual app crashes, unexpected device reboots, rapid battery drains, and the activation of sensors like the camera, microphone, or GPS, which can all trigger a UI indicator for the privacy-aware.”


Apple is aware of the exploit and will likely have a resolution sooner rather than later, heck, they may have already fixed this threat.

Saagar Jha:

My dude, did you even read your own blog post? It is literally about hiding UI indicators of an exploit. I’m sure that checking caller ID will help people avoid a 0-day 🙄


The real takeaway from this is: JAMF Threat Labs did some reverse engineering of Airplane Mode. They then made a little tweak that fakes the UI, which is always possible after an exploit. “omg be scared hackers can do unspeakable things to you” is not the right take.

1 Comment RSS · Twitter · Mastodon

Calling this an exploit as iMore does reminds me of Raymond Chen's series of blog posts about vulnerability reports that start with "first, assume we have administrative permissions...". The key phrase is "It rather involved being on the other side of this airtight hatchway."

Leave a Comment