Detecting Apple's Lockdown Mode - ThreatWire (Patreon)

By Shannon Morse, ThreatWire

Similar to Google’s Advanced Protection Program is Apple’s brand new privacy option called Lockdown Mode, which is made for folks in high risk categories such as journalists, activists, human rights defenders, politicians, people with access to proprietary or high security information, etc. People in these groups are often targeted by government backed threat actors and as such, both Google and now Apple have created functionalities for accounts that require specific security features to be enabled, or remove access to features that could be exploited.

Starting next month, Apple iOS users can enable this feature on their phones or ipads, within iOS 16, iPadOS 16, and Mac OS Ventura. Lockdown mode disables accepting attachments via iMessage other than images, disables Javascript compiling in web, blocks incoming Facetime calls from unknown callers, disables wired connections to computers while the phone is locked, and disables mobile device management config installations to potentially block malware installations.

According to John Ozbay, CEO of the privacy oriented company Cryptee, this mode is easy for a developer to detect with device fingerprinting. It’s likely that Lockdown Mode won’t be used by a large audience, so if they can be detected, they will also stand out amongst a crowd of other iOS users. A proof of concept was created to test this detection, which shows that any website or ad could determine if a user is browsing in Lockdown mode.

Ozbay noted that the easiest setting to detect is Lockdown Modes disabling of custom fonts loading on websites. Their proof of concept website proves how easy it is to fingerprint a visitor using Lockdown Mode vs one who is not. And while this may not be considered a vulnerability, it is a privacy trade off. Apple would have to rework how Lockdown Mode works in order to mitigate this issue. But the theory is that if enough people enable Lockdown Mode, then all visitors to a site or an app would blend in together and not be seen as an uncommon user.

Given that most users will likely not consider themselves a target for attacks like the ones that Lockdown Mode is marketed towards, we probably will not see a huge influx of users enabling this feature. The POC website notes that Lockdown Mode is great for - security - but the trade off is convenience of having features that could be exploited and the trade off of privacy since Lockdown Mode could make you stand out of the crowd.

Each user would have to consider their own threat modeling to determine if the trade offs are right for them.

LINKS:

https://www.vice.com/en/article/88qnag/apple-announces-extreme-privacy-mode-for-targets-of-government-spyware
https://www.vice.com/en/article/epzpb4/websites-can-identify-if-youre-using-iphones-new-lockdown-mode
https://crypt.ee/ios-lockdown-mode-test
https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/