Apple Lockdown Mode: Security & Notification Issues

The Benefits of Apple's Lockdown Mode for Security

As a journalist prioritizing security, I actively utilize Apple’s optional “extreme protection” feature, Lockdown Mode.

Introduced by Apple in 2022, this security feature is now widely regarded as essential for individuals facing heightened risk. This includes dissidents in nations with corruption, human rights advocates operating under oppressive governments, and journalists committed to investigative reporting.

How Lockdown Mode Enhances Security

Lockdown Mode functions by disabling certain features on iPhones, iPads, and Macs. Its primary objective is to minimize the potential for successful exploitation by hackers employing advanced spyware or zero-day vulnerabilities.

These vulnerabilities are undiscovered flaws within systems that attackers can leverage for covert access and surveillance.

Specific Feature Restrictions

In practice, Lockdown Mode restricts several standard functionalities. These include:

• Fonts downloaded from the internet, which can be used for tracking.
• The acceptance of specific file types.
• The inclusion of location data within shared photographs.
• Support for 2G cellular networks.
• The ability to receive messages or calls from individuals not already in your contacts via FaceTime and iMessage.

The impact of the last restriction remains somewhat unclear and will be discussed further.

These limitations are a trade-off for significantly increased protection against hacking attempts, even those originating from highly skilled adversaries.

Proven Effectiveness

Lockdown Mode has already demonstrated its effectiveness in thwarting sophisticated attacks. Apple reports no known successful hacks against users who have activated the feature.

Furthermore, the digital rights organization Citizen Lab has documented instances of spyware attacks that were successfully blocked by Lockdown Mode.

I have also received anecdotal evidence from professionals in the offensive security sector who have expressed frustration with the increased difficulty of exploiting systems protected by Lockdown Mode.

Areas for Improvement

Despite its benefits, the inner workings of Lockdown Mode remain largely opaque. There is a lack of clear explanation regarding the rationale behind its specific actions.

Some of the notifications generated by Lockdown Mode are confusing, unexplained, or appear arbitrary, potentially discouraging users from enabling the feature.

Three years after its initial release, a greater degree of transparency regarding its functionality would be beneficial.

Encountering Unexpected Blocks: A Lockdown Mode Mystery

It’s important to acknowledge that individuals potentially targeted by state-sponsored hackers should utilize Lockdown Mode, despite any inconveniences it may present.

The limitations imposed by the mode itself aren't the core issue; rather, the increasing ambiguity of its notifications is causing concern.

Recently, a Lockdown Mode alert was received, identifying an individual with whom contact hadn’t been made for months, and no subsequent communication occurred. When directly inquiring if an attempt to connect had been made, the person confirmed they had not initiated any contact.

Reports have surfaced indicating that simply viewing a contact within a user’s address book can trigger a “Lockdown Mode blocked…” notification, raising questions about the activation criteria.

For several months, consistent notifications have been appearing, stating that Lockdown Mode prevented someone “from contacting” the user each time iMessage is employed. These alerts consistently name individuals already present in the user’s contacts.

These notifications frequently surface during active messaging conversations with the identified person, creating uncertainty about message delivery and the potential for prior messages to have been filtered by Lockdown Mode.

This raises the question of potential compromise; is a security breach occurring, or is targeted surveillance taking place? Is professional device inspection warranted with each notification?

Despite these alerts claiming to block communication, continued interaction with the named individuals is possible. They are, in fact, able to contact and converse with the user. What function is Lockdown Mode actually performing in these instances?

Selecting a Lockdown Mode notification yields no further information. Users are not directed to resources explaining the mode’s functionality or the specific meaning of these alerts.

Runa Sandvik, a cybersecurity expert assisting high-risk individuals, expressed to TechCrunch that these messages lack utility. They provide no context, offer no actionable steps, and lack a means to understand the underlying cause. Sandvik suggests Apple should either provide more clarifying information or discontinue displaying these notifications altogether.

Sandvik’s observations are shared by others. Following a public discussion of these concerns, numerous individuals reported similar experiences and expressed confusion regarding the notifications.

For instance, editor Zack Whittaker has repeatedly received Lockdown Mode alerts regarding attempted Apple Music control sharing, as well as notifications indicating Focus Sharing was blocked and would not be distributed while in Lockdown Mode.

A Security Experiment

An investigation was undertaken, with the assistance of Harlo Holmes, the Chief Information Security Officer and Director of Digital Security at the Freedom of the Press Foundation – a non-profit organization dedicated to supporting a free press. The core question explored whether enabling Lockdown Mode on a phone influenced the occurrence of ambiguous notifications when contacted by individuals not present in the user’s contacts. Furthermore, the experiment aimed to identify the types of content that would be blocked.

To conduct the test, both I and Ms. Holmes removed each other from our respective contact lists, maintaining our amicable relationship. We then initiated communication via iMessage for the first time. Upon receiving a text message from Ms. Holmes – with neither of us listed in the other’s contacts – a “Lockdown Mode blocked…” notification appeared, displaying her phone number. Despite the notification, the message itself was successfully delivered.

Our exchange included text, emojis, a photograph of a cat, and iMessage “stickers.” All forms of communication were transmitted successfully, with the exception of the stickers. These were either rendered as a Unicode question mark or as an unopenable file attachment.

Notably, while the stickers were blocked for the recipient, both Ms. Holmes and I could still view the sent stickers on our own devices. This indicates that the blocking mechanism is only visible to the person receiving the message. The “Lockdown Mode blocked…” notification also operates in this manner; I received it, but Ms. Holmes was unaware of its appearance.

This behavior is logical, as Apple would likely avoid alerting potential government attackers that their hacking attempts have failed and that the target has been notified of the intrusion attempt.

The functionality of Lockdown Mode in blocking potentially harmful content is reassuring, and contributes to enhanced security. However, the precise meaning and implications of these notifications remain unclear.

A request for clarification was submitted to Apple. However, a spokesperson for the company did not offer an official statement prior to publication. It is worth noting that the spokesperson did acknowledge receipt of the inquiry, confirming that Lockdown Mode did not impede its delivery.