As hundreds of thousands of people sit back, relax and prepare for take-off this summer, many will be enabling their iPhone’s airplane mode setting, whereby their device’s radio frequency (RF) transmission technology is switched off, severing their connection to their mobile network for the duration of the flight.
Also known as flight mode or flight safe mode, this feature was first introduced many years ago as a safety measure to protect aircraft from supposed interference with their comms or navigation systems. In reality, this apparent threat to aircraft safety was somewhat overstated by many, and the rules are less strict now than they were, while in-flight Wi-Fi services have improved to the point of being useable. Nevertheless, enabling airplane mode remains a key step in the pre-flight routine.
However, researchers at Jamf Threat Labs have now discovered and successfully demonstrated an exploit technique that enables an attacker to maintain persistence on their victim’s device even when the user believes they are offline.
The technique, which has not been observed in the wild, hinges on the successful creation of an artificial airplane mode “experience” by a hypothetical threat actor, whereby the device appears to be offline when it is not.
Ultimately, the exploit chain pieced together by Jamf leads to a situation where attacker-controlled processes can run unchecked and unobserved in the background, with the device’s owner unaware anything is amiss.
“Jamf Threat Labs routinely investigates attacker techniques from a variety of perspectives so we can ultimately enhance the defensive posture of our customers and enable a community of professionals who are responsible for defending Apple devices used at work,” said Jamf vice-president of strategy Michael Covington.
“In the case of fake airplane mode, our researchers were exploring the ‘art of the possible’ on a mobile device,” he said. “They wanted to see if they could simulate an exploit where the attacker was able to maintain connectivity, even when the user believed the device to be in offline mode. The result was, in my opinion, a very clever visual hack that allowed the attacker to disguise their tracks while working on the device.”
How it works
On iOS devices, two daemons are tasked with switching to airplane mode – SpringBoard, which handles visible changes to the user interface (UI); and CommCentre, which operates the underlying network interface and manages a feature that allows users to block mobile data access for specific apps.
Under normal conditions, when airplane mode is enabled, the mobile data interface no longer displays IPv4 or 6 IP addresses, and the mobile network is disconnected and unusable at the user space level.
Jamf’s team, however, was able to find the relevant section of the target device’s console log, and from there use a specific string, “#N User airplane mode preference changing from kFalse to KTrue”, to locate the code referencing it.
From there, they successfully accessed the device’s code, and hooked and replaced the function with an empty or do nothing function. In this way they were able to create a fake airplane mode in which the device is not actually disconnected and internet access is maintained.
They then went after the UI, hooking two distinct Objective-C methods to inject a small piece of code that adjusted the mobile connectivity icon to dim it and make the user think it is turned off, and highlight the airplane mode icon (a pictogram of an aircraft).
With airplane mode apparently on, the hypothetical victim would reasonably suppose at this point that if they were to open Safari they would receive a standard notification prompting them to turn off airplane mode or use a Wi-FI network to access data.
However, since they are actually still online, they would see a different prompt asking them to allow Safari to use wireless data via WLAN or mobile, or WLAN only, which would be a clue something was amiss.
For the exploit chain to work, the Jamf team knew this issue needed to be addressed, so they worked out a method whereby they were able to give the user the impression of being disconnected from mobile data services by exploiting the CommCenter feature to block mobile data access for specific apps and disguise it as airplane mode by hooking yet another function.
In this way, they created a situation where the user was served a prompt to turn off airplane mode, as opposed to the prompt they should have seen.
To disconnect the internet for Safari without actually turning on airplane mode, the team used the SpringBoard feature that prompts the “turn off airplane mode” notification after being notified to do so by CommCenter, which is itself notified by the device kernel via a registered observer/callback function.
From there, the team found CommCenter also manages an SQL database file that records the mobile data access status of each application, assigning each a specific flag if it is blocked from accessing mobile data. From this, they could read a list of application bundle IDs and obtain their preset values, then selectively block or allow an app to access Wi-Fi or mobile data.
Tying all this together, the team had effectively created an exploit chain in which their fake airplane mode appears to the victim to be operating just as the real one does, except that non-application processes are able to access mobile data, Covington told Computer Weekly.
“This hack of the user interface disguises the attacker’s movement by placing the device into a state that is counterintuitive to what the user expects,” he said. “This could allow an attacker to surveil the user and their surroundings at a time when no one would suspect video recording or a live microphone capturing audio. The reason this is possible is because the mobile device is still online, despite what the interface is communicating to the user.”
Covington said that because the exploit chain does not constitute a vulnerability in the traditional sense, but rather a technique that allows an attacker to maintain connectivity once they have control of the device through another series of exploits, the discovery falls outside the normal responsible disclosure process.
“Regardless, our researchers did notify Apple of the research,” said Covington. “We have not received any comment.”
Who is at risk?
The novel attack technique is clearly a risk, but if it were to be deployed in anger it is more likely to be used in a targeted attack scenario by a threat actor with very specific goals in mind, than in a mass-exploitation event targeting the general public.
For example, exploitation for espionage or surveillance by hostile government-backed actors against people of interest is a more plausible scenario than exploitation by financially motivated cyber criminals.
The fact that the use of airplane mode is not always limited to the flying public also hints at more possibilities of how the technique could be used in the wild. “Though any rule-abiding traveller will be familiar with the regulations that require devices to be switched into offline mode while in a commercial aircraft in flight, that’s not the only time airplane mode is utilised,” said Covington.
“We hear frequently from individuals and organisations that utilise offline mode when visiting secure facilities, attending board meetings, and in scenarios that are ‘off the record’ or simply disconnected for productivity purposes,” he added.
Covington said that even though the technique is most likely to be used in a targeted attack, it is still important to raise awareness on how device UIs, particularly those built by trusted suppliers such as Apple, can be turned against their users because of the inherent trust people place in their mobile devices.
“The important thing is that users and security teams become more educated on modern attack techniques such as those demonstrated through the fake airplane mode research,” he said. “In a way, this is the next generation of social engineering, and it’s not too dissimilar to how AI is being used to create fake testimonials that appear to be from known celebrities.
“Knowing that an attack technique is possible forces users to be more alert and to question the anomalies that they witness in their daily routines.”