The rental surveillance industry has emerged in recent years as a very real threat to activists, dissidents, journalists and human rights defenders around the world, as vendors offer increasingly invasive and effective spyware to governments. The most sophisticated of these tools, like NSO Group’s infamous Pegasus spyware, target victims’ smartphones using rare and sophisticated exploits to compromise Apple’s iOS and Google’s Android mobile operating systems. As the situation for victims worsened, activists and security experts increasingly called for more drastic measures to protect vulnerable individuals. Now Apple has an option.
Today, Apple is announcing a new feature for its upcoming iOS 16 release called Lockdown Mode. Apple stresses that this feature was created for a small subset of users who are at high risk of government targeting, and does not expect the feature to be widely adopted. But for those who want to use it, the feature is an iOS alternative that severely limits the tools and services spy actors target to take control of victim devices.
“This is an unprecedented step for user security for high-risk users,” Ron Deibert, director of the University of Toronto’s Citizen Lab, told reporters ahead of the announcement. “I believe this will throw a wrench in their modus operandi. … I expect [spyware vendors] to try to evolve, but hopefully this feature will prevent some of those harms from happening down the road.”
Locked mode is a special mode of operation of the operating system. To turn it on, users enable the feature in the settings menu and are then required to reboot their device for all protections and digital defenses to take full effect. This feature imposes restrictions on the most leaky parts of the operating system. Lockdown Mode attempts to comprehensively address web browsing threats, for example by blocking many of the speed and efficiency features that Safari (and WebKit) use to display web pages. Users can specifically mark a specific web page as trusted so that it loads normally, but by default, Lockdown Mode imposes a host of restrictions that extend everywhere WebKit works behind the scenes. In other words, when you load web content in a third-party app or an iOS app like Mail, the same protection will apply in Lock Mode.
Lock mode also restricts all types of incoming invitations and requests, unless the device has initiated the request first. This means that your friend won’t be able to call you on FaceTime, for example, if you’ve never called them. And to take it a step further, even when you initiate an interaction with another device, Lockdown Mode only honors that connection for 30 days. If you don’t talk to a particular friend for weeks afterwards, you’ll need to re-establish contact before they’ll reach out to you again. In Messages—a common target for spyware exploits—Lock Mode will not display link previews and will block all attachments with the exception of a few trusted image formats.
Lock mode also strengthens other protections. For example, when a device is locked, it will not receive connections from anything physically attached to it. And, most importantly, a device that isn’t already enrolled in one of Apple’s Mobile Device Management (MDM) programs can’t be added to one of these schemes after Lockdown Mode is turned on. This means that if your company gives you a phone enrolled in corporate MDM, it will remain active if you then enable Lockdown Mode. And your MDM manager cannot remotely turn off Lockdown Mode on your device. But if your phone is just a regular consumer device and you put it in lock mode, you won’t be able to activate MDM. This is important because attackers will trick victims into enabling MDM as a way to gain the ability to install malicious apps on their devices.