In mid-2022, Apple announced the release of an additional security feature for iOS, iPadOS, and macOS called Lockdown Mode. This was described as an extreme, optional measure to help protect users who may be personally targeted by sophisticated mercenary spyware. It appears this feature was a response to the renowned Pegasus spyware developed by the Israeli cyber intelligence firm NSO Group Technologies, which was used to target activists, journalists, and politicians globally. Apple have provided limited technical details about Lockdown Mode, instead offering a list of eight features that will operate differently when the mode is enabled. In this post we take a look at the possible security reasoning behind the changes to the eight disclosed features which will be altered with Lockdown Mode.
MessagesApple states that ‘Most message attachment types are blocked, other than certain images, video, and audio. Some features, such as links and link previews, are unavailable. Messages with attachments or links can be used to get a user to execute malware on their device. Typically, the attachment contains an executable which is run when the user previews or clicks on the attachment. By restricting attachment types (different file types) and preventing links within messages, this reduces the attack vectors used to distribute malware onto an individual’s device. Thus, the potential malware cannot be distributed to the user’s device through messages. As some attachment types are still allowed, it is still possible, however this feature will limit the options for an attacker to distribute the malware as only a select number of file types could be used to do so. Web browsingIn the released post, Apple states that ‘Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon’. They have also stated separately that just-in-time (JIT) JavaScript compilation is disabled. An in-depth review of the changes to web browsing was conducted separately by independent researchers Russell Graves and Alexis Lours. The changes to the browser which were discovered are:
FaceTimeIn regard to FaceTime, Apple stated that ‘Incoming FaceTime calls are blocked unless you have previously called that person or contact. Features such as SharePlay and Live Photos are unavailable. Blocking incoming FaceTime calls works to prevent an attacker from exploiting a potential zero-day vulnerability within the FaceTime service to compromise a user’s device. The attacker would not be able to interact with the FaceTime service without being a trusted contact. Furthermore, by blocking extra FaceTime features such as SharePlay and Live Photos, the attack surface is reduced by minimising the number of openings which could have potential vulnerabilities. As FaceTime calls are still allowed for contacts which the user has previously contacted, the FaceTime service could still be used to leverage an attack, however this would involve more steps to initially become a trusted contact. This feature follows the ‘deny by default’ approach, requiring a more sophisticated attack method. Apple servicesIt was stated that ‘Incoming invitations for Apple services, such as invitations to manage a home in the Home app, are blocked unless you have previously invited that person. Game Center is also disabled. As with the FaceTime feature, by blocking incoming invitations for Apple services and disabling Game Centre, the potential attack surface is reduced. Attackers are not able to directly exploit any potential zero days surrounding certain Apple services. Again, an attacker must become a trusted person to exploit any related vulnerabilities by first having received an invitation for the service from the device owner. By blocking incoming invitations for Apple services, it also prevents some phishing attacks utilising the Apple service invitation. For example, if a malicious individual sends an invitation for an Apple service posing as a known or trusted person, this would be blocked. PhotosApple states that ‘When you share photos, location information is excluded. Shared albums are removed from the Photos app, and new Shared Album invitations are blocked. You can still view these shared albums on other devices that don’t have Lockdown Mode enabled. This feature of Lockdown Mode appears to be primarily focused on protecting the users privacy, to prevent the accidental leak of photos and associated metadata. By removing location information when sharing photos and removing shared albums, a user is less likely to accidentally share photos and corresponding metadata such as location data. Withdrawing the shared albums and shared album invitation feature, will also reduce the attack surface by restricting the number of potential vulnerabilities which could be exploited but also prevent the risk of shared content. Device connectionsIt is stated that ‘To connect your iPhone or iPad to an accessory or another computer, the device needs to be unlocked. To connect your Mac laptop with Apple silicon to an accessory, your Mac needs to be unlocked and you need to provide explicit approval. An avenue to deploy malware onto a device is through physical accessories which contain malware that users will plug into their device. This can be as simple as a USB drive or more sophisticated methods such as modified charging cables. A well-known attack method is juice jacking, this is where a malicious actor will infect a USB port or cable attached to the port with malware. This is then stationed in public spaces such as airports or cafes where unsuspecting users will use the accessories to charge their devices, and consequently their device will be infected with malware, or their data is exfiltrated. Apples implementation of this feature prevents the exfiltration of data or distribution of malware onto the device through a physical accessory as the device needs to be unlocked and approval given. Even with this preventative measure, it is still possible an attacker could be successful if the user unsuspectingly trusts a malicious accessory. Wireless connectivityApple states that ‘Your device won't automatically join non-secure Wi-Fi networks and will disconnect from a non-secure Wi-Fi network when you turn on Lockdown Mode. 2G cellular support is turned off'. As it is not defined what a ‘non-secure Wi-Fi network’ is, it is difficult to gauge what this feature does specifically. It is likely the classification of a non-secure network is based on which wireless security protocol (commonly referred to as Wi-Fi security protocol) is used or if the network is open and doesn’t require authentication. Outdated wireless security protocols such as Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) have known vulnerabilities which attackers can exploit. An open network can be leveraged by an attacker to conduct many different attacks. The likely intent of this feature is to prevent data from being intercepted within networks as well as prevent malware distribution. Many services and sites still use unencrypted protocols such as the Hypertext Transfer Protocol (HTTP) for web applications or File Transfer Protocol (FTP) for file transfer, allowing an attacker to read any intercepted data. Malware distribution through a non-secure network can be achieved as devices can be identified and communicated with on the network, or an attacker could then exploit a device vulnerability to spread malware onto the device. Configuration Profiles It is stated ‘Configuration profiles can’t be installed, and the device can’t be enrolled in Mobile Device Management or device supervision while in Lockdown Mode’. Configuration profiles, mobile device management, and device supervision are features which are typically used by an organisation that allow them to configure and manage devices. As these features allow a third party to control the device, if the third party’s access credentials are compromised this can be used by a malicious actor to exfiltrate data or install malware on the device. Removing the ability to install configuration files and enrolling the device in device management or supervision ensures that the governance of the device remains solely in the hands of the owner. Furthermore, this again will reduce the exposure points by reducing the number of features which may have vulnerabilities. Conclusion Overall, the features Apple have implemented for Lockdown Mode appear to reduce the attack surface of a user’s device and increase the privacy posture. Apple have taken the approach of reducing functionality instead of building more complex workarounds to enhance security. This may affect the users experience such as the decreased browser performance, however Apple has explicitly stated this is an extreme optional measure. Even with the disclosed features of Lockdown Mode in place, ultimately the user’s actions with their device can compromise it. Some of the feature’s implemented will help prevent user’s from making mistakes, such as blocking links and many attachment types within messages. A potential drawback from Lockdown Mode is digital fingerprinting. It can make a user identifiable purely from using Lockdown Mode, as there are likely not many individuals which use this feature. For example, through browser fingerprinting, a user would be identifiable due to all the web technologies which have been disabled. The majority of web users would not have disabled these technologies due to the performance and functionality decrease. To combat digital fingerprinting of Lockdown mode, the more people which use it, the harder it would be to distinguish individual devices. Lockdown Mode should not be seen as a guaranteed security of a device, if a user’s device is already compromised before the mode is enabled it will likely be ineffective and fundamentally even with all the security features, the users’ actions conducted on their device will have the largest effect on their privacy and security. Author: Julius Staufenberg Comments are closed.
|