Apple says it’s been nearly four years since it launched a security feature called Lockdown Mode, and that it has yet to see a case where someone’s device has been hacked with this extra security protection turned on.
“We are not aware of any successful mercenary spyware attacks on Apple devices with lockdown mode enabled,” Apple spokeswoman Sarah O’Rourke told TechCrunch on Friday.
It’s the tech giant’s latest assurance that Apple devices with Lockdown Mode can withstand government spyware attacks, after first claiming the security feature was launched a year ago.
Apple in 2022 announced Lockdown Mode, a set of security protections that turn off certain features on iPhones and other Apple devices that are commonly exploited to hack targets with spyware. Apple released this security mode specifically to help at-risk customers protect themselves from threats posed by government spyware created by companies such as Intellexa, NSO Group, and Paragon Solutions.
In recent years, Apple has acknowledged that its customers can be hacked with spyware and has become more proactive in notifying targeted customers.
Apple sent numerous notifications to users in over 150 countries, warning them that they may have been hacked with spyware. This shows how much visibility the company currently has into these types of attacks. Apple didn’t say how many users it sent the notification to, but it would be reasonable to assume there were dozens, if not more.
Donncha Ó Cearbhaill, director of security research at Amnesty International, who has investigated dozens of spyware attacks, said he and his colleagues “have seen no evidence that iPhones have been successfully compromised by mercenary spyware that had lockdown mode enabled at the time of the attack.”
Digital rights groups such as Amnesty International and the University of Toronto’s Citizen Lab have documented several successful attacks targeting iPhone users, but none of them mention lockdown mode bypass. Citizen Lab researchers have publicly shown that lockdown mode actively blocks spyware attacks in at least two cases. One was carried out using NSO’s Pegasus and the other using Predator spyware created by a company that is now part of Intellexa.
In at least one documented case of a spyware attack targeting iPhones, security researchers at Google said the spyware could evade attempts to infect victims by detecting lockdown mode as a way to evade detection.
Apple cybersecurity expert and critic Patrick Wardle says lockdown mode is an important feature that makes it more difficult for spyware creators to attack Apple users.
“I think it’s safe to say that lockdown mode is one of the most aggressive consumer-targeted enhancements ever released,” he told TechCrunch.
Contact us
Do you have more information about spyware attacks or spyware creators? You can contact Lorenzo Franceschi-Bicchierai securely via Signal at +1 917 257 1382 from a non-work device, or via Telegram, Keybase and Wire @lorenzofb or via email.
Wardle explained that lockdown mode “shrinks the attack surface,” eliminating many of the techniques commonly used to exploit iPhones and forcing spyware creators to use more complex and expensive techniques for development.
He added, “It shuts down an entire delivery mechanism/class of exploits. Because it blocks most types of message attachments and limits WebKit functionality, this significantly reduces the attack surface that can be reached remotely. Especially for zero-click exploit chains, it refers to hacks that can target people over the internet without any interaction with the victim.”
It’s possible that neither Apple nor independent investigators caught the attack because lockdown mode was bypassed. But considering that Apple is generally tight-lipped publicly at the best of times, its latest statement marks an important milestone for lockdown mode.
I’ve been using lockdown mode for a few years and rarely think about it, other than the occasional notification that pops up, which can be confusing. Some features that are turned off require additional steps, such as copying a link from a text message and pasting it into your browser. This is why I and several other digital security experts recommend that people who are worried about being targeted by spyware or digital attacks switch to lockdown mode.
