Cybersecurity researchers have documented a novel post-exploit persistence method on iOS 16 that could possibly be abused to fly underneath the radar and keep entry to an Apple machine even when the sufferer believes it’s offline.
The strategy “tips the sufferer into considering their machine’s Airplane Mode works when in actuality the attacker (following profitable machine exploit) has planted a man-made Airplane Mode which edits the UI to show Airplane Mode icon and cuts web connection to all apps besides the attacker software,” Jamf Menace Labs researchers Hu Ke and Nir Avraham mentioned in a report shared with The Hacker Information.
Airplane Mode, because the title implies, permits customers to show off wi-fi options of their gadgets, successfully stopping them from connecting to Wi-Fi networks, mobile knowledge, and Bluetooth in addition to sending or receiving calls and textual content messages.
The method devised by Jamf, in a nutshell, supplies an phantasm to the consumer that the Airplane Mode is on whereas permitting a malicious actor to stealthily keep a mobile community connection for a rogue software.
“When the consumer activates Airplane Mode, the community interface pdp_ip0 (mobile knowledge) will not show ipv4/ipv6 ip addresses,” the researchers defined. “The mobile community is disconnected and unusable, at the least to the consumer area stage.”
Whereas the underlying adjustments are carried out by CommCenter, the consumer interface (UI) modifications, such because the icon transitions, are taken care of by the SpringBoard.
The aim of the assault, then, is to plan a man-made Airplane Mode that retains the UI adjustments intact however retains mobile connectivity for a malicious payload delivered and put in on the machine by different means.
“After enabling Airplane Mode with no Wi-Fi connection, customers would count on that opening Safari would end in no connection to the web,” the researchers mentioned. “The standard expertise is a notification window that prompts a consumer to ‘Flip Off Airplane Mode.'”
To drag off the ruse, the CommCenter daemon is utilized to dam mobile knowledge entry for particular apps and disguise it as Airplane Mode via a hooked operate that alters the alert window to appear like the setting has been turned on.
It is value noting that the working system kernel notifies the CommCenter through a callback routine, which, in flip, notifies the SpringBoard to show the pop-up.
A better examination of the CommCenter daemon has additionally revealed the presence of an SQL database that is used to report the mobile knowledge entry standing of every app (aka bundle ID), with a flag set to the worth “8” if an software is blocked from accessing it.
“Utilizing this database of put in software bundle IDs we are able to now selectively block or enable an app to entry Wi-Fi or mobile knowledge,” the researchers mentioned.
“When mixed with the opposite strategies outlined above, the faux Airplane Mode now seems to behave simply as the actual one, besides that the web ban doesn’t apply to non-application processes akin to a backdoor trojan.”
