Dec 5, 2023 8:45 AM PT

How Fake Lockdown Mode can fool you into a sense of security

Don't panic, but a team of security researchers have figured out how to fool people into thinking they have Lockdown Mode enabled when they don't.

In yet another illustration of just how devious criminals have become in their attempts to undermine security, Jamf Threat Labs has identified a potential tampering technique that puts a device into Fake Lockdown Mode.

As most people know, Lockdown Mode is an extreme protection feature for iPhone designed to protect the kind of high-value targets some of the nastiestsurveillance and state-sponsored attackers aim for.

The febrile security environment

In recent years, a series of targeted spyware attacks against journalists, activists, and others have been exposed. Developed by Apple, Lockdown Mode protects such targets by securing media handling, network security, and other features — at the cost of reduced device utility. The protection is intended only for a small number of  users, but as attacks proliferate, this may change.

While the Fake Lockdown Mode attack the researchers identified isn’t thought to be actively in use, the idea is that a target can be tricked into believing their device remains protected by Apple’s Lockdown Mode, even when it isn’t. 

Always keep your device with you

Threat Labs calls it a “post-exploitation technique,” which means not only does it require that perpetrators have access to a device to install the malware, but they also need to get past device protection (ID). It is not a flaw in Lockdown Mode itself.

In other words, as long as no one gets alone time with your device, such attacks shouldn't easily take place.

How it works is that once the malware is installed, it tries to visually fool a user into thinking they remain protected by Lockdown Mode. 

“What we did is straightforward,” the researchers said. “Whenever the user turns on the Lockdown Mode, a file named /fakelockdownmode_on is created as an indicator, and a userspace reboot is initiated.”

But in truth the device does not really reboot. “This also means that even malware lacking persistence can persistently run and monitor the user,” they said.

As the extensive technical note explains, this trickery can be made to also extend to warnings on Lockdown-protected apps, such as Safari.

You can watch a comparative video here.

The more things change, the more they stay the same

In truth, this is a highly proof-of-concept vulnerability disclosure that raises the alarm against attacks that haven’t happened yet, which means it’s not something to be immediately alarmed by.

It also makes use of one of the age-old attacks — a physical undermining of device security — just like the old days.

All the same, it does represent the extent to which device security absolutely must be maintained. What that means for most users is never to share passwords or leave their device unprotected. It might also suggest regular passcode hygiene in the sense of scheduled changes to passcodes and key passwords. It might also be wise to delete and restore devices more often than we are used to, though some of the more abusive attacks are capable of surviving even that.

The limits of Lockdown Mode

It's important to understand the limitations of Lockdown Mode protection.

The research team’s message is simple: Lockdown Mode is not antivirus software, doesn’t detect malware, and it won’t warn if your device is being or has already been exploited.

What this means is that when you put your device into the mode, doing so “won’t stop an attack that has already been initiated."

Yes, the mode vastly reduces the attack surface, but doesn’t provide perfect mitigation against any ongoing violations.

While it is important to understand that this Fake Lockdown Mode is a proof of concept, those who are high-value targets will now need to take extra time to secure their devices physically as well as digitally. This kind of device tampering — which has always been one form of attack vector — clearly has no intention of going away.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.