Fresh security research from Jamf Threat Labs may not reflect an active attack, but it does illustrate the layered complexity of today’s threat environment.

In brief, the researchers have figured out a proof of concept attack that tricks victims into thinking they are using Airplane Mode. However, in reality the attacker has put in place a fake version of that mode that looks normal but lets the attacker maintain access to the device.

This is by no means a straightforward attack and hasn’t been seen in the wild. The exploit is complex and would require an attacker to successfully take control of the target device through a series of exploits, the research claims. 

This is a crafty attack in that internet connections to a user’s apps are cut when they enter the fake Airplane Mode, so it feels like it is working. And yet, all the while, the exploit can continue to exfiltrate data from the device. The researchers point out that some iPhone users switch to Airplane Mode to improve their own security.

You can learn more about the exploit here.

In order to put the exploit in place, the team replaced elements at an OS level, including altering hard-to-find commands within the operating system.

To make it convincing, they also had to figure out how to make the user interface act as if things were offline when in the fake mode and also how to fool the OS into cutting off network access to everything except the malware inside the device.

Apple maintains the world’s most secure platforms, but doing so is a constant campaign. While major security incidents are relatively infrequent, they do exist. Indeed, while it’s true to observe that an industry of security experts dedicated to identifying threats in order to sell people protection against such abuses does exist, that doesn’t mean it should not exist.

Think about Apple’s own actions. Its decision to introduce Lockdown Mode was a direct reflection of the increasingly complex threat environments in which we exist. Introduction of that mode followed highly publicized attacks by NSO Group and others.

And more recently, AT&T Alien Labs researchers claim to have identified around 10,000 infected Macs that are being used to support AdLoad malware, that report suggests.

“Users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications,” that report claimed.

Research and proof of concept cases like these don’t suggest Apple’s platforms are becoming more insecure but should be seen as warnings that attempts to undermine platform security are intensifying.

That doesn’t mean every Mac, iPad, or iPhone user — or every fleet manager — must immediately switch off all the devices, limit network access, and invest in every kind of malware protection tech available to us here on our still green in patches planet.

What it does mean is that attempts to secure the most vulnerable point in any tech — the humans using it — must be prioritized.

After all, as the Jamf proof of concept shows, what you think you see may not always be what is there. That is also, of course, why it’s somewhat inevitable that on-device telematic security monitoring will form part of the future of Apple platform security. Which is probably why Jamf acquired ZecOps in 2022.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

IT World