“Snakes in airplane mode” – what if your phone says it’s offline but isn’t? – Naked Security

Researchers at Apple device management company Jamf recently published an intriguing paper entitled Fake Airplane Mode: A mobile tampering technique to maintain connectivity.

We’ll start with the good news: the tricks that Jamf discovered can’t magically be triggered remotely, for example merely by enticing you to a booby-trapped website.

Attackers need to implant rogue software onto your iPhone first in order to pull off a “fake airplane” attack.

The bad news, however, is that the software shenanigans used aren’t the typical tricks associated with malware or date exfiltration code.

That’s because “fake airplane” mode doesn’t itelf snoop on or try to steal private data belonging to other apps, but works simply by showing you what you hope to see, namely visual clues that imply that your device is offline even when it isn’t.

Given that even the App Store, Apple’s own compulsory walled garden for software downloads, isn’t immune to malware and potentially unwanted applications…

…you can imagine that determined scammers, cryptoconfidence tricksters and spyware peddlers might be keen to find a way to hide “fake airplane” treachery in otherwise unexceptionable looking apps in order to make it through the App Store verification process.

What you see is not necessarily what you get

As the Jamf researchers explain it, most users who are concerned not only about going offline temporarily, but also with checking that they really are disconnected from the internet, do something like this:

  • Swipe up from the home screen to access the Control Center. Tapping on the aircraft icon typically turns the aircraft orange and all three radio communication icons (mobile, wireless and Bluetooth) grey:
  • Try to browse to a popular site. Opening or refreshing a web page when airplane mode is successfully engaged typically produces a notification that explicitly says Turn off Airplane Mode or use Wi-Fi to Access Data:

At this point, a well-informed user would be inclined to accept not only that they had turned airplane mode on, but also that they had successfully cut the apps on their phone off from the internet.

Unfortunately, Jamf coders found a series of sneaky tricks by which they could separate appearance from reality.

Firstly, they figured out how to intercept the API (application programming interface) call triggered by tapping on the aircraft icon on the Control Center screen.

In this way, the apparent switch to airplane mode was recorded in the iPhone logs, yet the actual system call to turn it off in real life was hijacked to turn off Wi-Fi but not the mobile network, leaving an unexpected pathway off the phone for any app authorised to use mobile data.

Secondly, they reconfigured your browser (they used Safari in their tests, but we assume other apps, including alternative browsers, could be tricked in the same way) so that the app alone, rather than the entire device, was blocked from using mobile data connections.

In theory, the roguery of cutting off a specific app from the internet instead of the whole phone ought to be obvious, because a well-informed user would see a completely different warning when trying to browse to a known page:

This notification clearly implies that mobile data is turned on in general, but disabled specifically for Safari, in contrast to the warning shown above, where airplane mode is mentioned explicitly.

So, thirdly, the researchers figured out how to intercept the “mobile data is turned off” dialog, and simply to replace it with the more reassuring “airplane mode is on” notification instead.

The last possible giveaway facing the Jamf researchers was that with airplane mode artificially activated in the Control Center screen (thus correctly turning the aircraft icon orange), the mobile data connection icon (the broadcasting lollipop) would nevertheless remain green.

Fourthly, therefore, the researchers found a way to dim the mobile data icon to give the false impression that the option was disabled, and thus by implication turned off, even though it wasn’t.

What to do?

The good news is that the researchers only figured out how to misrepresent the state of your device’s connectivity when changes were made via the Control Centre swipe-up screen.

If you go directly to the Settings page, the tricks outline here are no longer enough, because the Airplane Mode setting, along with the resulting configuration forced on your Wi-Fi, Bluetooth and Mobile Data settings, can be correctly controlled and reliably checked:

We’re assuming, with enough effort and with sufficiently powerful malware already installed on your iPhone, that a determined attacker might be able to interfere even with the Settings page, but the Jamf team didn’t come up with a practicable way of doing this in their research.

So, if you ever need to use apps on your phone while being as certain as you can that it’s cut off from the internet, remember that a simple connection test with your browser might not be telling you the truth.

Check directly on the Settings page, rather than indirectly via Control Center or your browser.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button