A recent report published by Jamf Threat Labs has revealed a new technique that allows hackers to manipulate the iPhone user interface to simulate airplane mode, while maintaining internet connectivity. This discovery poses a significant security threat as attackers can exploit this trick to maintain control over a target device without the user’s knowledge.
To understand how this manipulation is achieved, it’s important to examine the code that controls various elements of iOS 16’s airplane mode experience. There are two specific daemons involved in the switch to airplane mode: “SpringBoard” and “CommCenter.” The former handles changes to the user interface, while the latter is responsible for state changes in the network interface.
By hooking into CommCenter and replacing the code that would disable network interfaces with dummy code, the researchers were able to make the UI changes appear as if airplane mode was activated, while the device’s network connections remained intact. In simpler terms, the user taps the airplane mode button, but the subsequent calls into the network substrate are blocked.
However, manipulating SpringBoard alone was not sufficient. Other elements of the airplane mode experience had to be accounted for as well. Researchers managed to insert code to dim the Control Center Wi-Fi button, giving the impression that Wi-Fi was turned off.
Furthermore, researchers discovered a database file managed by CommCenter called “CellularUsage.db,” located at http://private/var/wireless/Library/Databases/CellularUsage.db. This database controls cellular and Wi-Fi access for each app. By modifying a single parameter, the researchers successfully blocked connectivity to Safari without affecting the rest of the device.
It is important to note that performing these manipulations requires complete control over the targeted device. Therefore, these techniques are only applicable to hackers who have already gained access to a device. This newfound knowledge sheds light on the potential for future mobile device compromises and emphasizes the need for improved detection and defense mechanisms.
Michael Covington, vice president of portfolio strategy at Jamf, likens this technique to a form of social engineering. It tricks the user into believing that airplane mode is active when, in reality, the device is still connected to the internet. This lack of awareness on the user’s part allows hackers to carry out surveillance or install and remove software without detection.
For defenders, understanding these UI hacks provides valuable insight into the tactics that may be employed by attackers in future mobile device compromises. Detecting and analyzing the artifacts left behind during an attack can lead to improved defense strategies and the development of intelligent detection tools.
Covington highlights the importance of using this knowledge alongside existing techniques to create an ever-growing list of indicators that a device may have been compromised. By continuously evolving defense strategies and leveraging this newfound knowledge, it is possible to stay one step ahead of attackers and protect against these types of vulnerabilities.
As mobile devices become increasingly integral to our daily lives, it is crucial to remain vigilant and proactive in safeguarding our personal information. Continued research and collaboration between industry experts is essential in staying ahead of emerging threats and ensuring the security of our devices and data.