Connect with us

Hi, what are you looking for?


Mobile & Wireless

Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem?

News Analysis: Cybersecurity experts toss bouquets at Apple for removing attack surface from its flagship platforms and call on competing OS makers to match Cupertino’s attempts to neutralize the mercenary spyware business.

News Analysis: Cybersecurity experts toss bouquets at Apple for removing attack surface from its flagship platforms and call on competing OS makers to match Cupertino’s attempts to neutralize the mercenary spyware business.

Apple’s decision to architect a new operating system ‘Lockdown Mode’ to counteract the mercenary spyware exploitation business is receiving rave reviews from cybersecurity experts monitoring the software surveillance landscape.

“Let me say, right out of the gate, this is great,” says Claudio Guarnieri, head of the Security Lab at Amnesty International. “This is responsible and mindful engineering.”

Guarnieri, who works on documenting infections by surveillance software products, said the stripped-down versions of iPhones, iPads and macOS-powered devices will “raise the economic costs for attackers” and help to neutralize some the most technically sophisticated exploits ever seen.

According to Apple, the new Lockdown Mode will be an extreme, optional OS version for a tiny percentage of its users who are targeted with sophisticated exploits capable of silently infecting iPhones without the user clicking on malicious links or surfing to rigged websites.

Security researchers at Google’s Project Zero have described one of the iOS zero-click exploits as “a weapon against which there is no defense” and made it clear that “there is no way to prevent exploitation by a zero-click exploit.”

With Lockdown Mode, currently in beta and expected to ship in the fall, Apple is betting that the removal of certain features and functionalities will provide technical roadblocks to the zero-click exploits that dominate global news headlines.

Advertisement. Scroll to continue reading.

[ Read: Google: Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’ ]

For example, the popular default Messages app will be modified to block some message attachment types and disable link previews.  This change, while limiting functionality, effectively neutralizes software exploits that use Message attachments as the initial delivery mechanism.

“Message attachments can be a first point of entry in potential exploitation chains. Vulnerabilities often occur in complex file format parsers, which are perfect attack vectors and as a result they are a preferred target for offensive security researchers’ fuzzing and reverse engineering efforts,” Guarnieri said.

Lockdown Mode on iOS

Apple is well aware of these types of exploits, having patched multiple zero-day exploits linked to surveillance software makers over the last two years.  One of those exploits, called FORCEDENTRY, exploited a flaw in the way the Messages app previewed images to infect target devices.

By reducing the allowed message attachment types, Amnesty International Guarnieri says Apple is reducing a major, known attack surface and the efforts may allow Cupertino’s security engineers to prioritize auditing efforts.

[ Read: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks ]

Apple’s software engineers also plan to block incoming invitations and service requests, including FaceTime calls, if the user has not previously sent the initiator a call or request.  This will reduce exposure to known exploitation vectors via FaceTime call requests.

In addition, complex web technologies, like just-in-time (JIT) JavaScript compilation, will be disabled unless the user excludes a trusted site from Lockdown Mode. 

The mode will also block the installation of configuration profiles and disable enrollment into mobile device management (MDM) systems.

Security researchers interviewed by SecurityWeek acknowledge that Lockdown Mode will offer significant protection for journalists, political activists and dissidents targeted by nation-state spyware and applauded Apple for working on the mitigations, at the expense of widely used default features.

Still, some argue that Apple can go a step further and provide tools to help researchers inspect devices for signs of infections.  

[ Read: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation ]

“The ‘features’ of Lockdown mode are all aimed at infection vectors. It’s a fixation on ever renewing ‘vulnerabilities’ rather than a lack of verifiability or inspection,” says Juan Andres Guerrero-Saade, principal security researcher at SentinelLabs and an adjunct lecturer at Johns Hopkins SAIS. 

“Until there’s an effort to empower researchers, incident responders, and victims to defend, verify, and remediate spyware on their devices (no matter how ‘high-end’ the malware, or how ‘few people affected’), Apple’s approach to iOS security remains one of willful ignorance,” Guerrero-Saade added.

Google’s James Forshaw, a prominent Project Zero researcher, described Lockdown Mode as “interesting” but said a real game-changer would be “system transparency so you could actually inspect your iOS device without jailbreaking it.”

“After all, how can you verify Lockdown Mode hasn’t been tampered with?,” Forshaw reacted on Twitter.

Despite these reservations, Amnesty International’s Guarnieri is pleased with the progress. “Regardless of how effective Lockdown Mode will turn out to be in its first iteration, this is a critically important development from a top hardware and software manufacturer like Apple.”

“Will other manufacturers follow the example?” Guarnieri asked, echoing calls from the security research community for a similar, easy-to-use setting that limits attack surfaces on Android and other rival mobile operating systems.

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware

Related: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks

Related: Google: NSO Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation

Related: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.