closed red shutter
Apple | Exploits and vulnerabilities | News

iOS Lockdown Mode effective against NSO zero-click exploit

Posted: April 21, 2023 by Pieter Arntz

Apple’s Lockdown Mode feature alerted a victim to one of the latest NSO exploits, according to a report by Citizen Lab.

Lockdown Mode notification related to the PWNYOURHOME exploit
image courtesy of Citizen Lab

This is a huge deal since it shows how useful Lockdown Mode can be, even against exploits developed by one of the world’s most notorious commercial spyware producers.

Pegasus spyware, developed by NSO Group, has featured in many news stories, after being found to have been used against journalists, politicians, State Department employees, embassy workers, and activists.

We talked about Pegasus infections in our podcast Lock and Code, which can be listened to in full here:

As Pegasus has become publicly scrutinized, NSO Group has expanded its product line. Citizen Lab found several new zero-click chains that it was able to tie to the NSO group with high confidence.

The report describes three of them in detail:

  • PWNYOURHOME: An iOS 15 and iOS 16 zero-click exploit which involves the HomeKit functionality built into iPhones and works even if the victim has never configured a “Home” inside HomeKit.
  • FINDMYPWN: An iOS 15 zero-day, zero-click exploit which is associated with the iPhone’s built-in Find My functionality.
  • LATENTIMAGE: An iOS 15 zero-click exploit which is also believed to use the iPhone’s Find My feature.

The use of multiple attack surfaces can be handled in two very different ways. You can play a game of whack a mole and patch the vulnerabilities as they get uncovered, which is certainly necessary and common practice, but it has the disadvantage of being responsive rather than preventive. And the report also stipulates that NSO is getting better at hiding itself and its traces on infected devices, which makes it harder to find and analyze the exploits they used.

The other way of minimizing the risk of exploits is to build with security in mind. Think of design decisions like memory safe programming languages, and sandboxing applications so a vulnerability in one does not lead to a compromised device and stays limited to the app. But also features like Apple’s Lockdown Mode which puts an iPhone into a state where it is more difficult to attack.

Lockdown Mode is available for iOS 16, iPadOS 16 and macOS Ventura. It is designed to provide a safer environment for users that are at a higher risk.

You could say it was introduced with Pegasus in mind. And although Apple refers to Lockdown Mode as “an extreme, optional protection,” the limitations don’t actually sound particularly difficult to live with.

  • Messages: Most message attachment types other than images are blocked and some features, like link previews, are unavailable.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.

Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on. A device that was enrolled in Mobile Device Management before Lockdown Mode is enabled remains managed. System administrators can install and remove configuration profiles on that device.

Even though it’s very good news that Lockdown Mode proved it was able to notify a target about an ongoing attack, there are some caveats. The Citizen Lab report also mentions that NSO may have figured out a way to correct the notification issue, since Citizen Lab has had no new reports about it. NSO could have done this, for example, by fingerprinting Lockdown Mode. And since Lockdown Mode is not available for iOS 15 it only provides protection against the PWNYOURHOME exploit. The others didn’t work on iOS 16 anyway.

Enabling Lockdown mode

So, how do you turn on Lockdown Mode? If you consider yourself a target for commercial spyware or are willing to live with some minor inconveniences for a higher level of security, here’s what you can do.

How to enable Lockdown Mode on iPhone or iPad:

  • Open the Settings app
  • Tap Privacy & Security
  • Under Security, tap Lockdown Mode and tap Turn On Lockdown Mode
  • Tap Turn On Lockdown Mode
  • Tap Turn On & Restart, then enter your device passcode.

And you’re all set. If you feel that the limitations are a bit too strict for your convenience, don’t turn it off immediately because there are ways to exclude apps or websites from Lockdown Mode. While your device is in Lockdown Mode, you can exclude an app or website in Safari from being impacted and limited. Exclude only trusted apps or websites and only if necessary.

To exclude a website while browsing: Tap the Page Settings button , then tap Website Settings. Then turn off Lockdown Mode.

To exclude an app or edit your excluded websites:

  • Open the Settings app
  • Tap Privacy & Security
  • Under Security, tap Lockdown Mode
  • Tap Configure Web Browsing
  • Exclude websites or apps from Lockdown Mode on iPhone

To exclude an app, turn that app off in the menu. Only apps that you have opened since enabling Lockdown Mode and which have limited functionality appear on this list.

To edit your excluded websites, tap Excluded Safari Websites > Edit.

We don’t just report on iOS security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

RELATED ARTICLES

Fishing in a lake
Cybercrime

Law enforcement reels in phishing-as-a-service whopper

April 18, 2024 - A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

CONTINUE READING 0 Comments
Cerebral logo
News | Privacy

Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million

April 18, 2024 - The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data.

CONTINUE READING 0 Comments
JuicyFields investment scam
News | Scams

Cannabis investment scam JuicyFields ends in 9 arrests

April 18, 2024 - JuicyFields was an investment scam that urged victims to invest in cannabis production.

CONTINUE READING 0 Comments
A mobile phone in the hands of a young woman in a dark colored t-shirt.
Privacy

Should you share your location with your partner?

April 17, 2024 - Location sharing is popular among couples. But is it something you want in your own relationship?

CONTINUE READING 0 Comments
Giant Tiger logo
News | Personal

Giant Tiger breach sees 2.8 million records leaked

April 16, 2024 - A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams