Security news that informs and inspires

Apple Lockdown Mode ‘First Step Toward Mainstreaming Better Protections’

For most of its existence, Apple has made its reputation on slick design and marketing and delivering the new new thing before people even know they want it. Of late, that new thing has often been new privacy and security features and this fall the company is planning to roll out a major option in iOS that will provide a significant new level of security for people who are at a serious risk of highly targeted attacks.

When iOS 16 debuts in the fall, it will include a new set of security capabilities known collectively as Lockdown Mode that Apple describes as “an extreme, optional level of security”. The capabilities are designed to remove a large portion of the attack surface that highly capable attackers, such as NSO Group and others that sell commercial spyware to state actors, use to compromise iPhones. Lockdown Mode is meant specifically for high-risk user groups, such as activists, journalists, and political dissidents, and will severely restrict the functionality of iPhones when it’s enabled. Among other things, Lockdown Mode will block most attachments in Messages, disable JIT and other technologies on the web, prevent configuration profiles from being installed, and block wired connections with computers or accessories when the phone is locked.

Users will be able to turn on Lockdown Mode on their own, but will not be able to turn on and off individual capabilities that are part of the new security set.

“While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are. That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks,” said Ivan Krstic, head of security engineering and architecture at Apple.

The set of companies that sell high-end, custom spyware tools is relatively small but the effects that they have on the people who are targeted by their products are profound. The targets often are dissidents or activists in authoritarian countries, journalists, social activists, and others who become inconveniences for the governments that buy those tools. Security researchers at Citizen Lab have exposed extensive use of the Pegasus spyware sold by NSO Group in many countries, including the UK, Bahrain, Jordan, and others, and in many cases the victims of those attacks were compromised in some way through their mobile devices. Some of those intrusions involved novel exploits against previously unknown vulnerabilities in iOS, often through text messages.

Lockdown Mode is meant to take as many of those attack vectors off the board as possible, and researchers say it’s an important step forward, not just for at-risk users, but for the larger user population.

“Many features provide a road map for better security for everyone.”

“Using Lockdown Mode is like driving out categories of attacks. It won’t prevent you from being vulnerable to anything. It’s important that big OS developers move toward providing users with better protections,” said John Scott-Railton, senior researcher at Citizen Lab at the University of Toronto’s Munk School.

“It’s also a toe dip and it’s important that big platforms have higher security features. The thought is sometimes that more security might provide higher friction, but users like these features. This is the first step toward mainstreaming better protections. There’s a collective action problem. If companies are in competition with each other, they're sometimes reluctant to add features that might push users to their competitors. But this is an important move.”

Many of the technologies and features that have had the greatest impact on improving security on the web began as tests or features designed for small groups of people. One example is the use of HTTPS, which browser vendors initially encouraged, then made optional, and eventually made the default connection mode. Now, nearly all of the traffic on major platforms is encrypted.

“When you increment up, it’s like an antibiotic, it’s like, Did you get all of the bacteria? Or all the threats? It makes the next big step easier,” Scott-Railton said.

And though Lockdown Mode is expressly meant for people who are at high risk of being targeted by commercial spyware or other advanced threats, the benefits will accrue to everyone eventually.

“High-risk users should also mean people who run banks, celebrities, well-known crypto investors. Anyone who is at a heightened threat level,” Scott-Railton said. “Many features provide a road map for better security for everyone.”