Lockdown Mode is a new Apple feature you should hope you’ll never need to use. But for those who do, like journalists, politicians, lawyers and human rights defenders, it’s a last line of defense against nation-state spyware designed to punch through an iPhone’s protections.
The new security feature was announced earlier this year as an “extreme” level of protection against spyware makers that were increasingly finding ways to remotely hack into iPhones without any user interaction. These so-called zero-click attacks are invisible and exploit weaknesses in core iPhone features, like calling, messaging and browsing the web. Apple fixes vulnerabilities as they are discovered, often by security researchers who find evidence of spyware on victims’ phones. But it’s an ongoing chase between Apple and the spyware makers that have targeted thousands of journalists, activists and human rights defenders in recent years.
What is Lockdown Mode?
With Lockdown Mode, Apple is giving users the option to temporarily switch off some of most-abused device features at the push of a button (and a device restart) to make it far more difficult for spyware to break through and siphon off your private phone data. Or, as Apple calls it, “sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.”
TechCrunch tried out Lockdown Mode using an iPhone running Apple’s public beta of iOS 16, which includes the new mode. Lockdown Mode kicks in after some disclaimers and a device restart, and can be switched off again through the Settings menu.
[gallery ids="2371532,2371534,2371535"]
Although the mode limits what you can do and who can contact you — that’s the trade-off for having a far more secure iPhone — we didn’t find using our iPhone in Lockdown Mode to be overly prohibitive or frustrating as thought when the feature was first announced.
The idea is to shore up as many routes into your iPhone, iPad or Mac from the internet as possible without overly degrading the device’s usability. That means blocking contact from people you don’t know so that only people you know can call or message you. As the saying goes, your mileage may vary, in that your experience may differ based on your needs.
One of the first things you’ll notice is that Lockdown Mode switches off link previews in text messages, which have been shown to unmask a person’s anonymity by obtaining their IP address. The mode doesn’t block the link, just the preview, so you can still copy and paste the web address into your browser. That adds a moment of inconvenience to the user, but it makes it far more difficult for attackers to break in where they once succeeded.
Lockdown Mode also changes how the Safari browser works, disabling certain features that might affect some websites or break others entirely. You’ll see some web pages that rely on more complex web technologies in your browser, like web-based fonts and just-in-time compilers that help websites load faster, might not render properly or might not load at all.
Switching off just-in-time (or JIT) compilers will slow down some websites, but will prevent malicious JavaScript code from running that can escape your browser’s protective sandbox and access other parts of your device’s data. Some websites load custom font files from over the internet to make them look the way they’re supposed to, but fonts can also be packed with malware that can remotely run malicious code on your device.
Safari says “Lockdown Mode” when the feature is switched on. You can see that TechCrunch loads fairly well and that the browser relies on in-built fonts if it cannot download them over the internet, changing the appearance of the page slightly. You can still set certain sites as “trusted” in Lockdown Mode, which lets you bypass the restrictions on sites you know to be safe.
Before and after
[gallery type="slideshow" ids="2371563,2371564,2371565,2371566"]
Where features are no longer available, like Shared Photos, which seem to mysteriously disappear from your phone when in Lockdown Mode, your device generally does a good job of alerting the user when the feature proactively kicks in.
You’ll see that when Lockdown Mode is in effect, you can’t receive FaceTime calls from contacts you have never communicated with before. That’s designed to protect against zero-click attacks that exploit weaknesses in FaceTime and iMessage, which are known to be used by spyware makers like NSO Group and Candiru. You also cannot open attachments, like documents or files, because they could contain malicious code that could compromise your device. You won’t receive Apple service invitations, like calendars and notes, from people you haven’t communicated with before while Lockdown Mode is enabled, and you cannot install new configuration profiles for joining new work or school networks, since they can be misused by bad actors to remotely control a person’s device.
[gallery ids="2371584,2371586,2371587"]
Most of the features that are blocked or limited make it tougher for attackers or spyware makers to remotely hack into an iPhone over the internet or cell network, but it also blocks wired connections to your device, preventing anyone with physical access to your phone or computer from being able to download its contents, using phone cracking technology.
Lockdown Mode might be a tacit admission that Apple can’t protect against every spyware maker or malware threat, just like no company can. But it is a sign of addressing the matter head on, rather than denying it exists. Lockdown Mode lands in iOS 16 and macOS Ventura later this year.