Cybercriminals have learned how to simulate "safe" airplane mode on Apple devices.
Researchers from the Jamf Threat Labs cybersecurity lab have identified a new method of attacking the iOS 16 system. This method allows attackers to sneak into Apple devices without being noticed, simulating Airplane mode.
When this mode is activated, the pdp_ip0 network interface responsible for mobile data stops displaying IP addresses, making the cellular network inaccessible to most applications. At the same time, access is saved for specific malicious services.
Attackers use the CommCenter daemon. It plays a key role in managing mobile connectivity in iOS. The operating system kernel uses the callback function to notify CommCenter that it is necessary to show the user a pop-up notification about switching mode. This activates the SpringBoard system component, which is responsible for displaying push notifications on the screen.
Another interesting feature discovered by researchers is the presence of an SQL database inside CommCenter. The database registers information about each app's access to mobile data (known as the bundle ID). If access is blocked, a flag with the specific value "8"is set for it.
Simply put, the algorithm allows you to secretly monitor Internet activity on the device, blocking or allowing Internet access to specific applications.
Flight mode simulation is a convenient tool for supporting malicious services, blocking security mechanisms, collecting user data, and deploying other attacks via an infected device.
Apple itself said that no vulnerabilities were found in the operating system that could allow such activity.
Researchers from the Jamf Threat Labs cybersecurity lab have identified a new method of attacking the iOS 16 system. This method allows attackers to sneak into Apple devices without being noticed, simulating Airplane mode.
When this mode is activated, the pdp_ip0 network interface responsible for mobile data stops displaying IP addresses, making the cellular network inaccessible to most applications. At the same time, access is saved for specific malicious services.
Attackers use the CommCenter daemon. It plays a key role in managing mobile connectivity in iOS. The operating system kernel uses the callback function to notify CommCenter that it is necessary to show the user a pop-up notification about switching mode. This activates the SpringBoard system component, which is responsible for displaying push notifications on the screen.
Another interesting feature discovered by researchers is the presence of an SQL database inside CommCenter. The database registers information about each app's access to mobile data (known as the bundle ID). If access is blocked, a flag with the specific value "8"is set for it.
Simply put, the algorithm allows you to secretly monitor Internet activity on the device, blocking or allowing Internet access to specific applications.
Flight mode simulation is a convenient tool for supporting malicious services, blocking security mechanisms, collecting user data, and deploying other attacks via an infected device.
Apple itself said that no vulnerabilities were found in the operating system that could allow such activity.
