The surveillance-for-hire Industry has emerged in recent years as a very real threat to activists, dissidents, journalists, and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group’s notorious Pegasus spyware, target victims’ smartphones using rare and sophisticated exploits to compromise Apple’s iOS and Google’s Android mobile operating systems. As the situation has deteriorated for victims, activists and security experts have increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.
Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple emphasizes that the feature was created for a small subset of users who are at high risk of government targeting, and it doesn’t expect the feature to be widely adopted. But for those who want to use it, the feature is an alternate mode of iOS that heavily restricts the tools and services spyware actors target to take control of victim devices.
“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto’s Citizen Lab said on a call with reporters ahead of the announcement. “I believe that this will throw a wrench into their modus operandi. … I expect [spyware vendors] to try to evolve, but hopefully, this feature will prevent some of those harms from happening down the road.”
Lockdown Mode is a separate operating system mode. To turn it on, users enable the feature in the settings menu and then are prompted to restart their device for all of the protections and digital defenses to fully take effect. The feature imposes limitations on the leakiest parts of the operating system sieve. Lockdown Mode attempts to comprehensively address threats from web browsing, for example, by blocking many speed and efficiency features that Safari (and WebKit) use to render webpages. Users can specifically mark a certain webpage as trusted so it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend anywhere WebKit is working behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same Lockdown Mode protections will apply.
Lockdown Mode also limits all sorts of incoming invitations and requests, unless the device has preciously initiated a request first. That means your friend won’t be able to call you on FaceTime, for example, if you’ve never called them. And to take it one step farther, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don’t talk to a particular friend for weeks after that, you’ll need to reestablish contact before they can reach out to you again. In Messages—a frequent target of spyware exploitation—Lockdown Mode won’t show link previews and will block all attachments with the exception of a few trusted image formats.
Lockdown Mode also strengthens other protections. For example, when a device is locked, it won’t receive connections from anything physically plugged into it. And, crucially, a device that isn’t already registered with one of Apple’s enterprise mobile device management (MDM) programs can’t be added to one of these schemes once Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in the corporate MDM, it will remain active if you then enable Lockdown Mode. And the manager of your MDM can’t remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in Lockdown mode, you won’t be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way of gaining the ability to install malicious apps on their devices.