Nearly four years after releasing a security feature called Lockdown Mode, Apple says it has yet to see a case where someone’s device has been compromised with these additional security protections enabled.
“We are not aware of any successful mercenary spyware attacks against an Apple device with Lockdown Mode enabled,” Apple spokeswoman Sarah O’Rourke told TechCrunch on Friday.
It’s the tech giant’s latest confirmation that Apple devices with Lockdown Mode can withstand government spyware attacks, after first making the claim a year after the security feature first appeared.
Apple in 2022 announced Lockdown Mode, a set of security protections that disables certain features on iPhones and other Apple devices that are commonly used to hack targets with spyware. Apple specifically released this security feature to help at-risk customers defend against threats posed by government spyware from companies such as Intellexa, NSO Group and Paragon Solutions.
In recent years, Apple has acknowledged that its customers can be compromised by spyware and has been more proactive in notifying customers who have been targeted.
Apple has sent several batches of notifications to users in more than 150 countries alerting them that they may have been compromised with spyware, which shows how much visibility the company now has into these types of attacks. Apple has never said how many users it has notified, but it’s safe to assume there are dozens, if not more.
Donncha Ó Cearbhaill, head of the security lab at Amnesty International, where he has investigated dozens of spyware attacks, said he and his colleagues “have seen no evidence that an iPhone has been successfully compromised by mercenary spyware where Lockdown mode was activated at the time of the attack”.
Digital rights organizations such as Amnesty International and the University of Toronto Citizens Lab have documented several successful attacks on iPhone users, none of which reported bypassing the lock feature. In at least two cases, Citizen Lab researchers have publicly stated that they have seen Lockdown Mode actively block spyware attacks, one with NSO’s Pegasus and the other with Predator spyware, made by a company now owned by Intellexa.
In at least one documented case of a spyware attack targeting an iPhone, Google security researchers he said the spyware will be saved from trying to infect the victim if it detects the lock function, probably as a way to avoid detection.
Patrick Wardle, an Apple cybersecurity expert and critic, says Lockdown Mode is an important feature that makes it harder for spyware makers to attack Apple users.
“I think it’s safe to say that Lockdown mode is one of the most aggressive hardening features ever shipped for consumers,” he told TechCrunch.
Contact us
Do you have more information about spyware attacks or spyware manufacturers? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
Wardle explained that by “shrinking the attack surface,” Lockdown Mode eliminates many techniques commonly used to exploit the iPhone and forces spyware makers to use more complex and expensive techniques to develop.
“It kills entire delivery mechanisms/exploit classes,” he added, “because it blocks most types of message attachments, it limits WebKit features. It’s really a huge reduction in the remote attack surface, especially for zero-click exploit chains,” referring to attacks that can target people over the Internet without any interaction from the victim.
It is possible that the lock function has been bypassed and neither Apple nor independent researchers have caught the attack. But given that Apple is usually closed off publicly at the best of times, its latest statement marks a major milestone for Lockdown Mode.
I’ve used the lock feature for years and hardly think about it – except when notifications pop up which can sometimes be confusing. Some disabled features require you to take an extra step, such as copying and pasting links from text messages into your browser. That’s why I, and a number of digital security experts, recommend that anyone concerned about becoming a target of spyware or digital attacks turn on the lock feature.
