Mercenary spyware is one of the hardest threats to combat. It targets an infinitesimally small percentage of the world, making it statistically unlikely for most of us to ever see. And yet, because the sophisticated malware only selects the most influential individuals (think diplomats, political dissidents, and lawyers), it has a devastating effect that’s far out of proportion to the small number of people infected.
This puts device and software makers in a bind. How do you build something to protect what’s likely well below 1 percent of your user base against malware built by companies like NSO Group, maker of clickless exploits that instantly convert fully updated iOS and Android devices into sophisticated bugging devices.
No security snake oil here
On Wednesday, Apple previewed an ingenious option it plans to add to its flagship OSes in the coming months to counter the mercenary spyware menace. The company is upfront—almost in your face—that Lockdown mode is an option that will degrade the user experience and is intended for only a small number of users.
“Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware,” the company said. “Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.”
As Apple says, Lockdown mode disables all kinds of protocols and services that run normally. Just-in-time JavaScript—an innovation that speeds performance by compiling code on the device during runtime—won’t run at all. That’s likely a defense against the use of JiT-spraying, a common technique used in malware exploitation. While in Lockdown mode devices also can’t enroll in what’s known as mobile device management used for installing special organization-specific software.
The full list of restrictions are:
- Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
- Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
- Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
- Wired connections with a computer or accessory are blocked when iPhone is locked.
- Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.
It’s useful that Apple is upfront about the extra friction Lockdown adds to the user experience because it underscores what every security professional or hobbyist knows: Security always results in a trade-off with usability. It’s also encouraging to hear Apple plans to allow users to allow-list the sites that are allowed to serve JIT JavaScript while in Lockdown mode. Fingers crossed Apple might enable similar allow-listing of trusted contacts.
Lockdown mode is a big deal for lots of reasons, not the least of which is that it comes from Apple, a company that’s hyper-sensitive about customer perception. Officially acknowledging that its customers are vulnerable to the scourge of mercenary spyware is a big step.
But the move is big because of its simplicity and concreteness. No security snake oil here. If you want better security, learn to do without the services that pose the biggest threat. John Scott-Railton, a Citizen Lab researcher who knows a thing or two about counseling victims of NSO spyware, said Lockdown mode provides one of the first effective courses for vulnerable individuals to follow short of turning off their devices altogether.
“When you notify users that they’ve been targeted with sophisticated threats, they inevitably ask ‘How can I make my phone safer?” he wrote.’ “We haven’t had many great, honest answers that really make an impact. Hardening a consumer handset is really out of reach.”
Now that Apple has opened the door, it’s inevitable that Google will follow suit with its Android OS and it wouldn’t be surprising for other companies to also fall in line. It may also begin a useful discussion in the industry about broadening the approach. If Apple will allow users to disable unsolicited messages from unknown people, why can’t it provide an option to disable built-in microphone, camera, GPS, or cellular capabilities?
One thing everyone should know about Lockdown mode, at least as described on Wednesday by Apple, is that it doesn’t stop your device from connecting to cellular networks and broadcasting unique identifiers like IMEI and ICCID. That’s not a criticism, just a natural limitation. And trade-offs are a core part of security.
So if you’re like most people, you’re never going to need Lockdown mode. But it’s great that Apple will be offering it because it’s going to make all of us safer.