Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

What Is Lockdown Mode for iOS and iPadOS and Why Should I Care?

Published 10/10/2022

What Is Lockdown Mode for iOS and iPadOS and Why Should I Care?

Originally published by Lookout here.

Written by Christoph Hebeisen, Director, Security Intelligence Research, Lookout.

Apple recently announced a new feature in its upcoming iOS and iPadOS called Lockdown Mode. The aim is to protect users such as corporate executives, government officials, journalists, activists and other users that are likely targets of sophisticated surveillanceware. The goal of Lockdown Mode is to restrict certain device capabilities that spyware has exploited in the past in order to reduce the attack surface on Apple devices.

We welcome the introduction of Lockdown Mode by Apple as an additional feature that can improve security in certain situations. However, we need to keep in mind that the mobile attack surface is quite complex.

While this mode will mitigate certain classes of threats related to Apple services, web content and messaging, as well as risks related to physical connections to the device, it leaves other vectors such as third-party apps unchanged. In addition, Lockdown Mode may get pushback from users. The mode reduces risk by disabling legitimate, useful functionality which may create friction that many find unacceptable.

What is Lockdown Mode?

At a high level, Lockdown Mode limits functionality that relies on complex code such as just-in-time (JIT) JavaScript compilation or video playback. Specifically, it impacts certain capabilities that can be triggered remotely and require little or no user interaction, which are key ways surveillance technology gains control of a device during infection.

Some versions of the infamous Pegasus spyware, for example, use a so-called zero-click exploit against iMessage. Citizen Lab, which discovered Pegasus alongside Lookout in 2016, uncovered this capability while analyzing the phone of an anonymous Saudi activist in 2021. Zero-click exploits are exploits that can be triggered remotely by sending a message to the device and do not require any user interaction to take control of the device. This is the most assured way for an attacker to succeed, often without even being noticed by the user. This is why part of Lockdown Mode is blocking many of these automated functions, such as receiving inbound invitations on apps like FaceTime or iMessage.

Limitations to Lockdown Mode

Lockdown Mode will certainly strengthen the security of Apple devices but it has its limitations. The dozens of third-party apps that most Apple mobile device users use aren’t affected by this. To reduce the attack surface on the app side, each developer would need to implement their own lockdown measures. It is worth noting that vulnerable apps are a major threat. For example, in 2019, the developer behind Pegasus, The NSO Group, was able to exploit a vulnerability within WhatsApp to gain a foothold on iOS devices before seizing control of the system.

Moreover, a reduction in the attack surface is not the same as eliminating any possibility of being exploited. For example, the news release by Apple indicates that images attached to messages will still be rendered in Lockdown Mode. If an attacker targets a device in Lockdown Mode, they will be limited to a reduced set of features to be targeted, which raises the difficulty but is unlikely to prevent attacks altogether.

The last limitation is the user experience. Lockdown Mode does exactly what its name implies: it locks down the device. So whether it is blocking incoming message attachments or deteriorating the browsing experience on not-explicitly-trusted web sites, users will have to deal with tradeoffs.

Should I care about Lockdown Mode?

The vast majority of mobile device users, regardless of what operating system they are on, are less likely to be targeted by sophisticated spyware than business or government leaders that may have access to valuable trade secrets or national security data. Therefore, Lockdown Mode is not something most Apple mobile device users will want to use.

On the bright side, this mode will reduce risks for users that are of high value for spyware operators while at the same time raising the cost to attackers. With that being said, there are other steps that need to be taken to curtail the impact of spyware and malware in general, both on end-user and a regulatory levels:

“Lawful intercept” industry needs to be scrutinized

In addition to security controls, we also need to look at the spyware industry at large.

The vendors within this market brand themselves as “lawful intercept” companies that only sell to entities with a legitimate use case, such as a law enforcement agency fighting terrorism. In reality, spyware technology is often sold and used by governments to spy on politicians, journalists, activists or business executives. The Hermit spyware that Lookout recently discovered, for example, was deployed within Italy for a criminal investigation but we also found evidence of it being used in Syria and Kazakhstan, both of which have questionable human rights records.

In 2021, the U.S. Department of Commerce banned American corporations from conducting businesses with Pegasus developer The NSO Group, which severely hindered its ability to conduct business.

How to protect yourself from spyware

Even if an organization decides that executives should run their devices in Lockdown Mode, there is the challenge of actually getting those individuals to comply. If the limitations are going to hinder their productivity or their ability to communicate with others, then most will not want to use it.

With that in mind, there are some ways to protect your organization without limiting employee productivity:

  • Beware of phishing: On mobile devices, any app with messaging functionality can be used to social engineer you. Scrutinize communications that look suspicious, especially ones that have unknown links or attachments.
  • Don’t install unknown apps: Even apps that are available on official app stores can put your device at risk. Be sure to research what the app does and its reputation before installing it.
  • Never download apps from 3rd party stores: Always download apps directly from an official app store, such as the iOS App Store or Google Play store, as those stores have strong security vetting measures in place.
  • Keep OS and apps up to date: One way attacks are delivered is by exploiting known vulnerabilities. By keeping your operating system and apps updated, you can reduce the number of vulnerabilities that can be exploited.
  • Deploy dedicated mobile security: Even the most cautious users can be compromised. Slips in security posture are inevitable and zero-click exploits can compromise a device even without user interaction. A dedicated mobile security solution can protect your device regardless of whether Lockdown Mode is enabled.