A recent paper published by Apple device management company Jamf has shed light on a new mobile tampering technique called “fake airplane” mode that allows attackers to maintain connectivity on an iPhone even when the device appears to be in airplane mode. While the good news is that this technique cannot be triggered remotely, attackers must first implant rogue software onto the device in order to carry out the attack.
The bad news, however, is that this technique doesn’t involve the typical tricks associated with malware or data exfiltration. Instead, “fake airplane” mode works by deceiving users into believing that their device is offline when it is actually connected to the internet. This is achieved through a series of deceptive visual clues that imply the device is offline.
Given that even the Apple App Store, which is known for its stringent verification process, is not immune to malware, scammers and spyware peddlers could potentially find a way to hide “fake airplane” mode within seemingly harmless apps. This poses a major security risk for users who rely on the App Store for their app downloads.
Jamf researchers explain that most users who want to ensure they are disconnected from the internet typically use the Control Center to activate airplane mode. This involves swiping up from the home screen and tapping on the airplane icon, which turns the icon orange and disables mobile, wireless, and Bluetooth connections.
However, the researchers discovered sneaky tricks that can deceive users. Firstly, they intercepted the application programming interface (API) call triggered by tapping on the airplane icon, recording the switch to airplane mode in the device logs while secretly turning off only Wi-Fi and not the mobile network. This leaves a pathway for apps authorized to use mobile data to access the internet.
Secondly, they reconfigured the browser to block the app from using mobile data connections instead of disabling internet access for the entire device. This means that when a user tries to access a website, they receive a notification implying that mobile data is turned on but disabled specifically for the browser. To further deceive users, the researchers replaced the “mobile data is turned off” dialog with a more reassuring “airplane mode is on” notification.
Another potential giveaway was that while airplane mode was activated, the mobile data connection icon remained green. The researchers managed to trick users by dimming the mobile data icon, giving the false impression that mobile data was disabled.
Fortunately, the researchers discovered that these tricks only work when changes are made through the Control Center. When users directly access the settings page, they can accurately control and check the airplane mode setting and its impact on Wi-Fi, Bluetooth, and mobile data settings.
As a precaution, users are advised to check the settings page directly rather than relying on the Control Center or browser to determine the true status of their device’s connectivity. While it is theoretically possible for a determined attacker with powerful malware to interfere with the settings page, the Jamf team did not identify a practical way of doing this in their research.
Overall, this discovery highlights the need for users to remain vigilant when it comes to their device’s connectivity. With attackers finding increasingly sophisticated methods to deceive users, it is crucial to verify the status of airplane mode through the settings page to ensure complete disconnection from the internet when needed.