Researchers have discovered a new post-exploit persistence technique on iOS 16 that allows attackers to maintain access to an Apple device even when it is believed to be offline [1] [3] [4] [5] [7].


By manipulating the code controlling airplane mode [2] [6], attackers can deceive users into thinking their device is in airplane mode while still having access to the internet [2]. This technique involves planting an artificial signal to trick the victim into thinking their device’s Airplane Mode is working. The attackers modify the user interface to display airplane mode icons and cut off internet connection to all apps except their own [1] [3]. They utilize the CommCenter daemon to block cellular data access for specific apps and disguise it as Airplane Mode [3] [4] [5]. This allows them to maintain connectivity for their malicious payload [3]. Additionally, an SQL database in the CommCenter daemon records the cellular data access status of each app [3], enabling selective blocking or allowing of app access to Wi-Fi or cellular data [3]. These techniques require total control over the device and are only applicable for post-exploitation attacks [2] [6]. It is important to note that this technique has not yet been used in real-world attacks.


Defenders can use this knowledge to improve detections and potentially develop intelligent detection tools to identify compromised devices [6]. Apple has stated that this attack does not relate to a specific vulnerability in the operating system [5].