New iPhone Exploit Technique Evades Lockdown Mode Function

Researchers have discovered a way to hack into the iPhones of users who use Apple’s Lockdown Mode for extreme security protection because they are particularly vulnerable to cyberattacks from nation-state actors.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

Security analysts from Jamf Threat Labs said Tuesday that they have identified a post-exploitation tampering technique that tricks users into believing their phone is running in Lockdown Mode while in actuality it is “without any of the protections that would normally be implemented by the service.”

Apple released Lockdown Mode in 2022 to protect users facing threats of advanced commercial spyware deployed by state agencies. The service blocks all wired connections, incoming service requests and certain web technologies while prohibiting mobile device management (see: Apple Lockdown Mode Aims to Prevent State-Sponsored Spyware).

European lawmakers have called for tougher rules designed to prevent spyware abuse, and the White House in March issued an executive order prohibiting federal agencies from buying licenses for spyware used by foreign governments to spy on dissidents. Apple sued developer NSO Group – maker of Pegasus commercial spyware – in U.S. federal court in late 2021 in a bid to prevent the company from ever again accessing Apple products or services, in a complaint that also sought damages. The case is ongoing in the U.S. District Court for the District of Northern California.

Researchers said the tampering technique does not exploit a flaw in Lockdown Mode but instead “allows malware to visually fool the user into believing that their phone is running in Lockdown Mode.”

The attack works by manipulating the code in a compromised device to implement “Fake Lockdown Mode.” When the user attempts to initiate the Apple security service, the phone appears to enter Lockdown Mode and mimic its security restrictions “but makes no changes to the device’s configuration,” the researchers said.

The latest iPhone operating system, iOS 17, provides additional protections for Lockdown Mode and “is a great step in enhancing security,” according to the researchers. It does this by elevating Lockdown Mode beyond user mode code to kernel mode code, which typically requires a system reboot for any changes to be made to the device.

Apple describes Lockdown Mode as “an optional, extreme protection that’s designed for the very few individuals” who face targeting “by some of the most sophisticated digital threats.” An Apple spokesperson did not immediately respond to a request for comment.

The researchers said vulnerable users likely to use the Lockdown Mode feature can still be susceptible to significant cyberattacks without fully understanding how the service works, along with its limitations.

“Lockdown Mode doesn’t function as antivirus software, it doesn’t detect existing infections, and it doesn’t affect the ability to spy on an already compromised device,” the researchers said. “It is really only effective – before an attack takes place – at reducing the number of entry points available to an attacker.”