Apple to Reinforce Spyware Defense With Lockdown Mode in iOS 16


Apple is leaving no stone unturned to address malicious actors’ growing use of spyware. The iPhone-maker is rolling out Lockdown Mode, a new feature to thwart zero-click attacks targeted against the users of its products.

Tech giant Apple has developed a big security patch to make it more difficult for professional spyware companies like Pegasus producer NSO Labs to target or attack iPhone users. This update came after several predatory cyber firms helped their clients (government agencies or authorities) spy on journalists, activists, or other nonconformists by breaking into their devices through zero-day vulnerabilities.

Though the company fixed the ‘FORCEDENTRY’ vulnerability in its devices that provided an entry for Pegasus operators, it is taking fresh steps to boost anti-spyware defenses further.

Pegasus, the military-grade spyware, is used for spying on iOS and Android device users. Israeli cyber company NSO Group says through Pegasus, it enables foreign governments to eavesdrop on device data (including messages and other forms of communication) of terrorists, dissidents, and other kinds of criminals.

However, Amnesty International’s report that Pegasus is being used to snoop on journalists, human rights lawyers and activists, businessmen, academics, politicians, etc., besides criminals, didn’t go down well with Apple. Later, Apple took Pegasus developer NSO Group and its parent company, Q Cyber Technologies, to court in November 2021.

But Apple’s issue with the use of the Pegasus spyware had little to do with human rights abuse as it did with violations of U.S. laws and, more importantly, the abuse of the ‘FORCEDENTRY’ vulnerability in its devices.

Apple, which called NSO Group an “amoral 21st century mercenary,” has since fixed the vulnerability but still seems to harbor skepticism that Pegasus-esque spyware and cyber mercenaries will make their way into the company’s devices.

Apple admits that Lockdown Mode is for highly targeted attacks against “the very small number of users who face grave, targeted threats to their digital security.” This list may include journalists, lawyers, political dissidents such as the members of the Catalan independence movement, diplomats, and other influential individuals.

See More: Cyber Mercenaries, Surveillance-for-Hire Market On the Rise, Warns Meta

Apple shipped ~59 million iPhonesOpens a new window in Q1 2022, while the 50,000 spyware targets identified by Meta used different smartphones. But even if we disregard that for the sake of calculating the scale of the threat, the number of iPhone users who are at risk based on last year’s targets and Q1 2022’s iPhone shipments (and not the total iPhones globally), the percentage of iPhone users at risk would be 0.000847%.

Lockdown Mode will be available starting with iOS 16, iPadOS 16 and macOS Ventura, expected to be released later this year.

Under this Mode, Apple devices will have severely restricted device capabilities, a trade-off that users may appreciate if they think they could be the target of cyber mercenaries. “Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware,” Apple said.

Apple listedOpens a new window the restrictions when Lockdown Mode is turned on:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled. For instance, the KISMET vulnerability in iOS 13’s iMessage allowed Pegasus. To fix this, Apple introduced the BlastDoor sandbox in iOS 14 for messaging integrity. But FORCEDENTRY allowed Pegasus to bypass BlasDoor, thus allowing infection.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode. JIT JavaScript compilation is used to speed up iPhones but can also be used for malware exploits using JIT-spraying. How this will impact UI and app features besides HTML5 remains to be seen.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections: When the iPhone is locked, a wired connection with a computer or accessory is blocked off.
  • Configuration profiles cannot be installed, and the device cannot enroll in mobile device management (MDM).

Which is great. Adding a small amount of friction for cases of people targeted via persistent social engineering is very helpful.

— John Scott-Railton (@jsrailton) July 6, 2022Opens a new window

Based on the hardened and simplified, not to mention secure interface that Apple is pushing with Lockdown Mode, the impact on usability seems sustainable enough for business executives and employees in general. The only problem would be the lack of MDM capabilities.

Apple didn’t mention anything about other ways that could be used in spying, viz., find my device feature, Bluetooth beacons, location services, et al. It is possible that Apple has not released the full list of restrictions yet.

The early years of Android had some promising security-focused custom ROMs with limited features. However, independent development never materialized into something that could last until now.

To ensure Lockdown Mode remains a mainstay of Apple devices and to further fortify security, the company is offering up to $2 million as bug bounty for weaknesses in the new feature. Apple says this is would be the highest maximum bounty payout in the industry.

Apple is also allocating a $10 million grant to the Ford Foundation’s Dignity and Justice Fund for investigating, exposing, and preventing highly targeted cyberattacks.