Almost four years after launching a security feature called Lockdown Mode, Apple says it has yet to see a case where someone’s device was hacked with these additional security protections switched on. A company spokesperson stated, “We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device.” This is the tech giant’s most recent affirmation that Apple devices with Lockdown Mode can withstand government spyware attacks, a claim first made a year after the security feature’s debut.
Apple announced Lockdown Mode in 2022. It is an opt-in series of security protections that switches off certain features in iPhones and other Apple devices that are commonly exploited to hack targets with spyware. Apple specifically released this security mode to help at-risk customers defend themselves from the threats posed by government spyware made by companies like Intellexa, NSO Group, and Paragon Solutions.
In recent years, Apple has conceded that its customers can be hacked by spyware and has been more proactive about notifying customers who have been targeted. Apple has sent numerous batches of notifications to users in over 150 countries, alerting them that they may have been hacked with spyware, which shows how much visibility the company now has on these types of attacks. Apple has never said how many users it has notified, but it is likely fair to assume there have been dozens, if not more.
The head of the security lab at Amnesty International, where dozens of spyware attacks have been investigated, said that he and his colleagues “have not seen any evidence of an iPhone being successfully compromised by mercenary spyware where Lockdown Mode was enabled at the time of the attack.” Digital rights organizations like Amnesty International and the University of Toronto’s Citizen Lab have documented several successful attacks on iPhone users, none of which have mentioned a bypass of Lockdown Mode.
In at least two cases, Citizen Lab researchers publicly said they had seen Lockdown Mode actively block spyware attacks, one carried out with NSO’s Pegasus and the other with Predator spyware, made by a company now part of Intellexa. In at least one other documented case of a spyware attack targeting iPhones, security researchers at Google said the spyware would bail out of trying to infect the victim if it detects Lockdown Mode, likely as a way to evade detection.
Patrick Wardle, an Apple cybersecurity expert and critic, says that Lockdown Mode is an important feature that makes it more difficult for spyware makers to attack Apple users. He stated, “I think it’s safe to say, Lockdown Mode is one of the most aggressive consumer-facing hardening features ever shipped.” Wardle explained that by “shrinking the attack surface,” Lockdown Mode eliminates many techniques normally used to exploit the iPhone, and forces spyware makers to use more complex and expensive techniques to develop.
He added, “It kills entire delivery mechanisms and exploit classes, as it blocks most message attachment types and restricts WebKit features. This is really a huge reduction in remotely reachable attack surface, especially for zero-click exploit chains,” referring to hacks that can target people over the internet without any interaction from the victim.
It is possible that Lockdown Mode has been bypassed, and neither Apple nor independent investigators have caught the attack. But given that Apple is typically publicly tight-lipped, its latest statement marks a significant milestone for Lockdown Mode.
I have used Lockdown Mode for years, and I barely think about it except when it pops up notifications that can be occasionally confusing. Some features that have been switched off require you to take an extra step, such as copying and pasting links from text messages to your browser. That is why I, and several digital security experts, recommend anyone worried about being targeted by spyware or digital attacks to switch on Lockdown Mode.