The surveillance-for-hire industry has emerged in recent years as a very real threat to activists, dissidents, journalists and human rights defenders around the world, as vendors provide increasingly invasive and effective spyware to governments. The most advanced of these tools, such as those from NSO Group infamous Pegasus spyware, target victims’ smartphones using rare and sophisticated exploits to compromise the mobile operating systems of Apple’s iOS and Google’s Android. As the situation for victims has deteriorated, activists and security experts have increasingly called for more drastic measures to protect vulnerable people. Now Apple has an option.
Today, Apple is announcing a new feature for the upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small group of users who are at high risk of being targeted by the government, and does not expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that severely limits the tools and services spyware actors use to take control of victims’ devices.
“This is an unprecedented step in user security for high-risk users,” Ron Deibert, director of the University of Toronto’s Citizen Lab, said during a phone call with reporters ahead of the announcement. “I believe this will throw a wrench into their modus operandi. I expect [spyware vendors] to try to evolve, but hopefully this feature will prevent some of that damage from happening later.”
Lockdown Mode is a separate operating system mode. To enable it, users enable the feature in the Settings menu and are then prompted to reboot their device for all protections and digital defenses to take full effect. The feature puts restrictions on the most leaky parts of the OS sieve. Lock Mode attempts to comprehensively address web browsing threats, for example by blocking many speed and efficiency features that Safari (and WebKit) to display web pages. Users can specifically mark a particular web page as trusted so that it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend everywhere WebKit works behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections apply.
Lockdown mode also restricts all types of incoming invites and requests unless the device has previously made a request. That means your friend won’t be able to call you on FaceTime, say if you’ve never called him before. And to take it one step further, even when you initiate an interaction with another device, Lockdown Mode only respects that connection for 30 days. If you don’t talk to a particular friend for weeks after that, you’ll need to reconnect before they can contact you again. In Messages – a common target of spyware exploitation – Lockdown mode shows no link previews and blocks all attachments except for some trusted image formats.
Lock mode also strengthens other protections. For example, if a device is locked, it will not receive connections from anything physically connected to it. And, crucially, a device that has not yet been registered with one of Apple’s Enterprise Mobile Device Management (MDM) programs cannot be added to one of these schemes once Lockdown Mode is enabled. This means that if your company gives you a phone that is enrolled in the corporate MDM, it will remain active if you then turn on Lockdown mode. And your MDM administrator can’t remotely disable Lockdown Mode on your device. But if your phone is a regular consumer device and you put it in Lockdown mode, you won’t be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way to install malicious apps on their devices.