Researchers at Apple device management company Jamf recently published an intriguing paper entitled Fake Airplane Mode: A mobile tampering technique to maintain connectivity.
We’ll start with the good news: the tricks that Jamf discovered can’t magically be triggered remotely, for example merely by enticing you to a booby-trapped website.
Attackers need to implant rogue software onto your iPhone first in order to pull off a “fake airplane” attack.
The bad news, however, is that the software shenanigans used aren’t the typical tricks associated with malware or date exfiltration code.
That’s because “fake airplane” mode doesn’t itelf snoop on or try to steal private data belonging to other apps, but works simply by showing you what you hope to see, namely visual clues that imply that your device is offline even when it isn’t.
Given that even the App Store, Apple’s own compulsory walled garden for software downloads, isn’t immune to malware and potentially unwanted applications…
…you can imagine that determined scammers, cryptoconfidence tricksters and spyware peddlers might be keen to find a way to hide “fake airplane” treachery in otherwise unexceptionable looking apps in order to make it through the App Store verification process.
What you see is not necessarily what you get
As the Jamf researchers explain it, most users who are concerned not only about going offline temporarily, but also with checking that they really are disconnected from the internet, do something like this:
- Swipe up from the home screen to access the Control Center. Tapping on the aircraft icon typically turns the aircraft orange and all three radio communication icons (mobile, wireless and Bluetooth) grey:
- Try to browse to a popular site. Opening or refreshing a web page when airplane mode is successfully engaged typically produces a notification that explicitly says Turn off Airplane Mode or use Wi-Fi to Access Data:
At this point, a well-informed user would be inclined to accept not only that they had turned airplane mode on, but also that they had successfully cut the apps on their phone off from the internet.
Unfortunately, Jamf coders found a series of sneaky tricks by which they could separate appearance from reality.
Firstly, they figured out how to intercept the API (application programming interface) call triggered by tapping on the aircraft icon on the Control Center screen.
In this way, the apparent switch to airplane mode was recorded in the iPhone logs, yet the actual system call to turn it off in real life was hijacked to turn off Wi-Fi but not the mobile network, leaving an unexpected pathway off the phone for any app authorised to use mobile data.
Secondly, they reconfigured your browser (they used Safari in their tests, but we assume other apps, including alternative browsers, could be tricked in the same way) so that the app alone, rather than the entire device, was blocked from using mobile data connections.
In theory, the roguery of cutting off a specific app from the internet instead of the whole phone ought to be obvious, because a well-informed user would see a completely different warning when trying to browse to a known page:
This notification clearly implies that mobile data is turned on in general, but disabled specifically for Safari, in contrast to the warning shown above, where airplane mode is mentioned explicitly.
So, thirdly, the researchers figured out how to intercept the “mobile data is turned off” dialog, and simply to replace it with the more reassuring “airplane mode is on” notification instead.
The last possible giveaway facing the Jamf researchers was that with airplane mode artificially activated in the Control Center screen (thus correctly turning the aircraft icon orange), the mobile data connection icon (the broadcasting lollipop) would nevertheless remain green.
Fourthly, therefore, the researchers found a way to dim the mobile data icon to give the false impression that the option was disabled, and thus by implication turned off, even though it wasn’t.
What to do?
The good news is that the researchers only figured out how to misrepresent the state of your device’s connectivity when changes were made via the Control Centre swipe-up screen.
If you go directly to the Settings page, the tricks outline here are no longer enough, because the Airplane Mode setting, along with the resulting configuration forced on your Wi-Fi, Bluetooth and Mobile Data settings, can be correctly controlled and reliably checked:
We’re assuming, with enough effort and with sufficiently powerful malware already installed on your iPhone, that a determined attacker might be able to interfere even with the Settings page, but the Jamf team didn’t come up with a practicable way of doing this in their research.
So, if you ever need to use apps on your phone while being as certain as you can that it’s cut off from the internet, remember that a simple connection test with your browser might not be telling you the truth.
Check directly on the Settings page, rather than indirectly via Control Center or your browser.
Paul Dodd
Not sure malware creators will find a use case which justifies the effort, as most users probably have their phone not in airplane mode. If you can install a rootkit then you can do whatever, such as using the microphone and camera to snoop on confidential meetings etc.
Paul Ducklin
Indeed, if you already have enough access to install a rootkit (or perhaps we should just say “if you can inject your own code into chosen spots in the kernel”) then I don’t think you’ll find much need for this sort of trick.
Nevertheless, I thought it was worth writing up because of the many different ways that today’s OSes and apps have of presenting various chunks of security-related information, and how easily we end up relying of tell-tale signs that aren’t necessarily as reliable or as robust as we might think.
As an example, consider that when you put in a car for its annual safety test, the tester doesn’t just flip the indicator stalk inside the car and check that the orange repeater light on the dashboard blinks at the expected rate. They also cross-check that all the external indicator lights (a.k.a. turn signals) on the expected side of the vehicle illuminate to the correct brightness at the same time.
It’s often handy to know more than one way of checking whether software feature X is activated or not, just in case either monitoring tool has an Achilles heel…