This week, Apple announced the upcoming Lockdown Mode to come to iOS devices with version 16 in the fall. When enabled, this new security configuration will harden the iPhone against sophisticated targeted attacks, disabling some risky features, at the cost of some convenience and functionality.
Let me say, right out of the gate, this is great.
For many years I have been talking, including in this newsletter, about the design and economic inadequacy of consumer technology for at-risk users. And just as I commended Google for the introduction of the Advanced Protection program then, I am applauding Apple for Lockdown Mode. Apple recognized that a subset of their customer base, for how small it might appear, faces heightened risks and are victimized through technology they trusted and Apple had to do something about it. Investing into modifying iPhone’s baseline operating system and starting to make available heightened security settings is the right way to reduce the attack surface, and raise the economic costs for attackers. Additionally, it strongly signals to the rest of the industry that these are viable improvements to consumer products, and demonstrate that the largest corporations can and should care about the smallest, but most vulnerable, fraction of their user base. This is responsible and mindful engineering.
So, regardless of how effective Lockdown Mode will turn out to be in its first iteration, this is a critically important development from a top hardware and software manufacturer like Apple.
The announcement was rather brief, but came with a short preview of expected configurations that enabling Lockdown Mode would enforce.
First, with Lockdown Mode enabled, “most message attachment types other than images are blocked”. Message attachments can be a first point of entry in potential exploitation chains. Vulnerabilities often occur in complex file format parsers, are which perfect attack vectors and as a result they are a preferred target for offensive security researchers’ fuzzing and reverse engineering efforts. Reducing the allowed message attachment types means reducing the potential attack surface, and might allow Apple security engineers to prioritize auditing efforts. The announcement proceeds, “some features, like link previews, are disabled”. As browsers are a prime target for exploitation, disabling link previews might prevent potential automatic exploitation of vulnerabilities in Safari and its engine simply upon reading a message. Additionally, some links might be handled by apps other than the browser, for example Apple Podcats, Photos, Music or others, where the actual vulnerability might lie. Disabling previews adds friction and gives an opportunity for the targeted user to exercise caution.
“Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.” In our research into Pegasus attacks published last year we detailed for the first time how different Apple services come at play in a typical attack scenario. We discovered how malicious Apple accounts silently initiate a connection with targets users in order to deliver an exploit. By preventing unknown accounts from initiating unsolicited calls, conversations and connections, a Lockdown Mode user will have agency over which interlocutors to trust. This is a simple yet powerful mitigation which might not only benefit those concerned with sophisiticated targeted attacks, but perhaps those victims of different forms of harassment as well.
“Wired connections with a computer or accessory are blocked when iPhone is locked.” Good and sensible in order to complicate potential illegitimate data extraction upon device seizure, or other forms of physical tampering of the device.
Lastly, Apple notes that “configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.” Second-tier attacks, let’s call them, do not necessarily rely on extremely complex chains of exploit in order to compromise a device, but often time rely on social engineering a target into enrolling into a malicious MDM, enterprise solutions legitimately used to centrally manage corporate mobile devices. By abusing this, attackers are able to take control of the device and, for example, load arbitrary applications. In most cases, end users rarely leverage these enterprise features, but they remain available for abuse nevertheless. With Lockdown Mode, disabling MDM and configuration profiles will close a door in for attackers.
In conclusion, I see all these as welcomed changes and an effective way to raise the bar of entry for mercenary spyware manufacturers, beyond the more traditional efforts in improving and expanding the set of exploit mitigations available in iOS. Making available an optional hardened mode nicely balances the unique requirements of at-risk users while not affecting the larger user base. I look forward to seeing Lockdown Mode rolled out and how it develops. Will other manufacturers follow the example?