Finally, a responsible device manufacturer steps in and fixes espionage and malware problems once and for all! With an Apple OS update scheduled for this autumn, we will see Apple beef up its security and introduce a new Lockdown Mode. This new Lockdown Mode option aims to protect against those pesky state-sponsored cyber-attacks we have seen of late on phones of high-profile targets such as activists, dissidents, politicians and journalists. This blog takes a deeper look at how Apple Lockdown Mode intends to beat mercenary spyware.
I remember when antivirus software did that for PC computers in the 1990s. Finally, we were all safe from the dangers of the internet. Well, almost... and now another miracle cure has arrived, this time for our phones. A one-click fix for a problem that just doesn’t seem to want to go away, no matter how many hotfixes we throw at it. But what is Lockdown Mode? And what does it actually prevent and protect us against? Can it perhaps tell us something about the security mindset in modern technology?
What is Apple Lockdown Mode?
Lockdown Mode is an Apple feature that aims to protect its users who could be at risk of being targeted by surveillance companies developing state-sponsored mercenary spyware.
What is mercenary spyware?
Mercenary spyware is intended to break mobile phones and extract large amounts of information stored or processed by the objective system. This includes instant messages, location, call interceptions, camera and micro recordings, and app information.
What does Apple Lockdown Mode do?
Let’s dig into Lockdown Mode as bullet pointed on the Apple website.
- Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
Unsolicited pre-rendering should never have been enabled in the first place; I am so happy a disable-button is finally available. As a user you should be able to choose what software runs on your device, and it’s sad that we for so long have been denied that ability, unless we opted to root our devices. This will protect iMessage content, but will it protect active content and previews in WhatsApp, Viber, Messenger? They can all resolve links and render remote content. But yes, this feature may help iPhone dissidents to communicate with other iPhone freedom fighters safely.
- Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
This is great, I am not sure how different it is from the old “block caller” feature, but there should be very little difference. We can appreciate the fact that Apple is admitting that they, just like everyone else, are incapable of recognizing malicious content and will happily transport it across their servers on request. The feature itself is good, but from a telecom security perspective, however, it may be providing a false sense of security. Wangiri from FaceTime-enabled numbers could be an option... Lockdown Mode doesn’t permit inbound requests for FaceTime calls... but if the attacker decides to Wangiri you and spoof the A-number, you will call back to a FaceTime-enabled device, the attacker can have you initiate the session, and that seems permitted even in Lockdown Mode.
- Wired connections with a computer or accessory are blocked when iPhone is locked.
If you’re close enough to plug my phone into a computer, you are close enough to punch me in the face until I surrender my password. There is of course the odd occurrence when you accidentally leave your phone in the coffee shop, and in those instances, this will provide additional protection.
- Configuration profiles cannot be installed, and the device cannot enrol into mobile device management (MDM), while Lockdown Mode is turned on.
I never liked MDMs, so naturally this feature is something I like. Many like myself will probably want to use this as a get-out-of-spyware-at-the-office-card. On a more serious note, this may be a good thing if implemented correctly. Disabling the ability to give remote control permission of the device is a good starting point. MDM is very appealing because it offers a centralized way of controlling devices remotely, but unfortunately it is a security solution that can easily be turned on itself.
The benefits of Lockdown Mode
First off, a 2 million USD bug bounty! Apple is doubling their max pay-out for qualifying vulnerabilities that are exploitable under Lockdown Mode.
That’s a serious pay-out, but to get the 2 million you need a zero-click kernel code execution with persistence and kernel PAC bypass. Many attackers can probably live without persistence if reliable reinfection is available.
The main features of Lockdown Mode are perhaps also indicative of some of the problems with modern technology. Two of the features are directly related to active content being automatically presented even when the user hasn’t asked for it.
If partially disabling a largely unnecessary optimization in web technology and prohibiting pre-rendering of active content is worth a 100% bump in bug bounties, then I think it would make sense to review what kind of technologies we are inviting into our lives. Automated chatbots, video streams, notification services made available to marketing departments - to name a few examples.
It’s worth considering that there could theoretically be some unforeseen consequences when adopting Lockdown Mode. Depending on the user uptake of this new Lockdown Mode, Apple could potentially get a user-supplied list of everyone who is:
- A political dissident or controversial journalist
- A criminal or government official
- An Infosec blogger / Conspiracy theorist
- Companies like Enea AdaptiveMobile Security will become more critical as:
- Some of the zero-click attacks could potentially move to one-click, and since SMS is a mandatory phone protocol, it is perfectly spoofable by design and inherently trusted. We are likely to see a return to this vector instead of attackers hammering their head against iMessages that won’t render on arrival anymore.
- This may be the final nail in the coffin of RCS.
- RCS has been hailed as a replacement for SMS because it provides just this type of active content and interactive session-based communication.
- If we are seeing a shift away from devices on autopilot clicking and browsing for us behind our back, then happy days, the world will be a safer place
So, Lockdown Mode has upsides and downsides. It finally gives back some control to the user, and that is a good thing. At the same time, we should remember the lessons we failed to learn from antivirus software. Whenever there is a software fix dedicated to solving an attacker problem, the attackers may eventually turn their eyes to that software. If the solution can be compromised, you’re in bad hands. And in the modern communication landscape, in many ways you already are. In the case of Lockdown Mode it could be argued that it takes away features, not adds to them, but I would be very surprised if Lockdown Mode doesn’t add new complexity to the codebase.
Apple is taking away a layer of problems that have been used to compromise their devices. Time will tell how thick or thin that layer truly is and to what extent attackers will need to adjust - because they will adjust, and they have the technology. Some will make use of SS7 and signalling capabilities, and the possibilities offered by a SIM toolkit are not exhausted, and of course SMS is still an option. It’s also worth noting that there are iPhone games using lower security embedded browser windows for presenting out-of-game content to users, as well as other apps, third-party software, and protocols, that are still vulnerable.
Having said all that, I am definitely a fan of Lockdown Mode, and its release indicates that Apple is taking the issue seriously. Personally, I will be switching on Lockdown Mode the second it arrives, not because I think anyone is targeting me, but because I want to see how my ad-flows change.
Fredrik is the principal security researcher at AdaptiveMobile and is recognized as one of the leading experts and researchers in telecom security. He has a background in reverse engineering and the development of network and kernel security research tools, with more than 20 years of experience in the field. In recent years he has been involved in the industry efforts to secure mobile networks covering signaling security, IoT and virtualization. Fredrik is listed multiple times in the GSMA Security Research Hall of Fame and has written numerous whitepapers on 5G, signaling and hypervisor security.