Jamf Threat Labs has developed a technique on iOS16 that can simulate airplane mode. In concrete terms, this means that hackers could exploit this opportunity to trick the victim into thinking that the device's flight mode is turned on. However, malware is working in the background.
The attacker actually installed an artificial flight mode (after successfully using an exploit on the device). This changes the user interface so that the airplane mode symbol is displayed and the Internet connection to all apps is interrupted - except the application that the hacker wants to use. The technology has probably not yet been exploited by malicious actors.
More safety thanks to flight mode?
Flight mode ensures that passengers can safely use their devices such as smartphones or laptops during a flight. However, flight mode is now not only used when traveling, but also to save the battery or to temporarily disconnect from our “always-on” world. Others expect additional privacy when flight mode is switched on, for example during confidential meetings or when visiting secure facilities.
But does turning on airplane mode actually lead to more security and privacy? Researchers at Jamf Threat Labs studied Apple's Airplane Mode and found that malicious hackers have the ability to maintain a cellular connection for an application even if the user believes they have Airplane Mode turned on.
How was airplane mode manipulated?
The researchers managed to change the underlying code so that the airplane mode symbol appears, but the Internet connection is still maintained for certain applications. In order to make the deception seem as real as possible, the following changes were made:
- The airplane mode icon turns on.
- The network connection or Wi-Fi icon will be grayed out.
- When opening the browser, the error message appears that is expected when airplane mode is switched on (see image).
🔎 The display shows airplane mode, but in reality the malware app is active and accessing the Internet (Image: Jamf).
The researchers also managed to interrupt access to cellular data or Wi-Fi for all apps, while maintaining it for only a selected application. The user believes that airplane mode is activated and the Internet connection is interrupted, while hackers can still load or pull data from the device via selected applications.
The screenshot shows how the researchers transformed the message that typically triggers when mobile data access is blocked for certain apps (left) into a notification window that looks like the typical Airplane Mode message (right).
How could hackers exploit this vulnerability?
The Threat Labs team created a video showing how an attacker might use this technique in a surveillance attack. For example, if fake airplane mode is active - that is, the device indicates that it is in airplane mode - the attacker can activate the camera or microphone and live stream from the device without the user being aware of a breach.
More at Jamf.com
About Jamf
Focused on Apple for over 20 years, Jamf is now the only company in the world with a complete endpoint management and protection solution that ensures enterprise-level security, is easy to use and protects end-user privacy.