Almost four years after launching a security feature called Lockdown Mode, Apple says it has yet to see a case where someone’s device was hacked with these additional security protections switched on.
“We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device,” Apple spokesperson Sarah O’Rourke told TechCrunch on Friday.
It’s the tech giant’s most recent affirmation that Apple devices with Lockdown Mode can withstand government spyware attacks, after first making the claim a year after the security feature’s debut.
Apple in 2022 announced Lockdown Mode, an opt-in series of security protections that switches off certain features in iPhones and other Apple devices that are commonly exploited to hack targets with spyware. Apple specifically released this security mode to help at-risk customers defend themselves from the threats posed by government spyware made by companies like Intellexa, NSO Group, and Paragon Solutions.
In recent years, Apple has conceded that its customers can be hacked by spyware and has been more proactive about notifying customers who have been targeted.
Apple has sent numerous batches of notifications to users in over 150 countries, alerting them that they may have been hacked with spyware, which shows how much visibility the company now has on these types of attacks. Apple has never said how many users it has notified, but it’s likely fair to assume there have been dozens, if not more.
Donncha Ó Cearbhaill, the head of the security lab at Amnesty International, where he has investigated dozens of spyware attacks, said that he and his colleagues “have not seen any evidence of an iPhone being successfully compromised by mercenary spyware where Lockdown Mode was enabled at the time of the attack.”
Digital rights organizations like Amnesty International and the University of Toronto’s Citizen Lab have documented several successful attacks on iPhone users, none of which have mentioned a bypass of Lockdown Mode. In at least two cases, Citizen Lab researchers publicly said they had seen Lockdown Mode actively block spyware attacks, one carried out with NSO’s Pegasus, the other with Predator spyware, made by a company now part of Intellexa.
In at least one documented case of a spyware attack targeting iPhones, security researchers at Google said the spyware would bail out of trying to infect the victim if it detects Lockdown Mode, likely as a way to evade detection.
Patrick Wardle, an Apple cybersecurity expert and critic, says that Lockdown Mode is an important feature that makes it more difficult for spyware makers to attack Apple users.
“I think it’s safe to say, Lockdown Mode is one of the most aggressive consumer-facing hardening features ever shipped,” he told TechCrunch.
Contact Us
Do you have more information about spyware attacks, or spyware makers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
Wardle explained that by “shrinking the attack surface,” Lockdown Mode eliminates many techniques normally used to exploit the iPhone, and forces spyware makers to use more complex and expensive techniques to develop.
“It kills entire delivery mechanisms/exploit classes,” he added, “as it blocks most message attachment types, restricts WebKit features. This is really a huge reduction in remotely reachable attack surface, especially for zero-click exploit chains,” referring to hacks that can target people over the internet without any interaction from the victim.
It’s possible that Lockdown Mode has been bypassed, and neither Apple nor independent investigators have caught the attack. But given that Apple is typically publicly tight-lipped at the best of times, its latest statement marks a significant milestone for Lockdown Mode.
I have used Lockdown Mode for years, and I barely think about it — except when it pops up notifications that can be occasionally confusing. Some features that have been switched off require you to take an extra step, such as copying and pasting links from text messages to your browser. That’s why I, and several digital security experts, recommend anyone worried about being targeted by spyware or digital attacks to switch on Lockdown Mode.
