Apple’s Lockdown Mode not a failsafe protection


Apple’s iOS Lockdown Mode is a useful preventative measure against cyberattacks, but once a device has been compromised it too can be leveraged by threat actors, an analyst warns.

Once an Apple phone has been hacked into, Lockdown Mode can be impersonated to lull device owners into a false sense of security, says Jamf Threat Labs.

“Users can still be susceptible to attack if they are not fully aware of how Lockdown Mode works and its limitations,” said Jamf. “While Lockdown Mode effectively reduces the attack surface on an iOS device, it's important to remember that once a device is already compromised, Lockdown Mode doesn’t stop malware from operating.”

Apple introduced the feature in 2022 in response to an unprecedented rise in cyberattacks as reported by fellow tech giant Google.

Apple bills Lockdown Mode as “an optional, extreme protection that’s designed for the

very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”

Unfortunately, once a phone has been infected, “there are no safeguards in place to stop the malware from running in the background, whether the user activates Lockdown Mode or not.”

Security test exposed flaws

Jamf penetration testers were able to push past an iOS device’s defenses and install a fake version of Lockdown that would effectively fool a user into thinking they were protected when they weren’t.

“What we did is straightforward,” said Jamf. “Whenever the user turns on the Lockdown Mode, a file named /fakelockdownmode_on is created as an indicator, and a userspace reboot is initiated.”

“The device did not really reboot and allowed our injected code to maintain adaptable control over the Lockdown Mode,” it added. “This also means that even malware lacking persistence can persistently run and monitor the user.”

The Safari browser can also be finessed using a similar trick, manipulating conspicuous labels that make it look as though Lockdown is enabled when it isn’t.

“We then can make this function return desired results at different scenarios,” said Jamf. “For

example, we can make it return [...] ‘Yes’ when determining the appearance of surface-level elements, like the ‘Lockdown Ready’ label in the User Interface.”

Defensive limitations

And even as a pre-emptive defensive tool, Lockdown has its limitations.

“Lockdown Mode doesn’t function as antivirus software, it doesn’t detect existing infections, and it doesn't affect the ability to spy on an already compromised device. It is really only effective – before an attack takes place – at reducing the number of entry points available to an attacker.”

The good news is threat actors have not yet been observed using this technique, according to Jamf.

“Note that this is not a flaw in Lockdown Mode or an iOS vulnerability,” it added. “It is a post-exploitation tampering technique that allows malware to visually fool the user into believing that their phone is running in Lockdown Mode. This technique has not yet been observed in the wild and is only possible on a compromised device.”