Lockdown Mode

Despite popular belief, iPhones can get infected with malware — but it is rare. Attackers taking advantage of zero-day vulnerabilities and zero-click exploits can infect a user’s device — though these sophisticated attacks are often expensive and difficult to execute.

Jamf Threat Labs has worked out a proof-of-concept post-exploitation tampering technique that makes an iPhone behave like it is in Lockdown Mode when it isn’t. The user can toggle Lockdown Mode and will see visual cues, like an apparent device restart and warnings in Safari that trick the user into a false sense of security.

This isn’t a flaw with Lockdown Mode, iPhone security, or the operating system. The tampering technique only works on devices that have already been infected with malware.

Jamf researched this proof-of-concept to emphasize that Lockdown Mode has limitations. It is a shield that reduces the attack surface on an iOS device, not anti-malware that detects infections and ejects them.

Lockdown Mode is most effective when used on a device before an attack occurs. It reduces the number of entry points available for an attacker.

Warnings tell the user Lockdown Mode is being activated

A system reboot can help stop malware from monitoring the user, but Jamf found a way to force a userspace reboot instead of a system reboot. That way, the injected code can maintain adaptable control over Lockdown Mode.

Lockdown Mode performs several actions, most of which are invisible to the user.

• Messages — Most message attachments are blocked, and some features are unavailable.
• FaceTime — Incoming FaceTime calls from people you have not previously called are blocked.
• Web Browsing — Some web technologies and browsing features are blocked.
• Shared Albums — Shared albums will be removed from the Photos app, and new Shared Albums invitations will be blocked.
• Device Connections…