Apple says people using lockdown mode have not been hacked with spyware

It’s been nearly four years since it introduced a security feature called Lockdown Mode, but Apple says it’s yet to see an instance of someone’s device being hacked with these additional security protections turned on.

“We have not heard of any successful mercenary spyware attacks against Apple devices with Lockdown Mode enabled,” Apple spokesperson Sarah O’Rourke told TechCrunch on Friday.

This is the latest assertion from the tech giant, which first claimed a year after the security feature’s debut, that Apple devices with lockdown mode can withstand government spyware attacks.

Apple announced lockdown mode in 2022. This is an opt-in series of security protections that turns off certain features on iPhones and other Apple devices that are commonly used by spyware to hack targets. Apple released this security mode specifically to protect customers at risk from threats posed by government spyware created by companies such as Intellexa, NSO Group, and Paragon Solutions.

In recent years, Apple has acknowledged that its customers can be hacked by spyware and has become more proactive in notifying targeted customers.

Apple has sent numerous notifications to users in more than 150 countries warning them that they may have been hacked by spyware. This shows how much visibility the company currently has against these types of attacks. Apple hasn’t said how many users it notified, but it’s safe to assume it’s dozens, if not more.

Donncha Ó Carebail, head of Amnesty International’s security lab who has investigated dozens of spyware attacks, said he and his colleagues have seen “no evidence that mercenary spyware has successfully compromised iPhones that were in lockdown mode at the time of the attack.”

Digital rights groups such as Amnesty International and the University of Toronto’s Citizen Lab have documented several successful attacks against iPhone users, but none of them mention bypassing lockdown mode. In at least two cases, Citizen Lab researchers have publicly stated that they witnessed Lockdown Mode actively blocking spyware attacks, one run on NSO’s Pegasus and another on Predator spyware created by a company that is now part of Intellexa.

In at least one documented case of a spyware attack targeting iPhones, security researchers at Google say that if the spyware detects lockdown mode, it avoids infecting the victim, likely as a means to evade detection.

Patrick Wardle, an Apple cybersecurity expert and commentator, said lockdown mode is an important feature that makes it harder for spyware makers to attack Apple users.

“I think it’s fair to say that Lockdown Mode is one of the most aggressive consumer enhancements we’ve ever shipped,” he told TechCrunch.

Wardle explained that lockdown mode “shrinks the attack surface” by eliminating many of the techniques typically used to exploit iPhones, forcing spyware authors to develop more complex and expensive techniques.

“It blocks most message attachment types and limits the functionality of WebKit, thus breaking the entire delivery mechanism/exploit class. This actually significantly reduces the remotely reachable attack surface, especially for zero-click exploit chains,” he said, referring to hacks that can target people over the internet without any interaction from the victim.

Lockdown mode may have been bypassed, and neither Apple nor independent investigators have caught the attack. But the statement marks an important milestone for Lockdown Mode, given that Apple is typically reticent publicly at the best of times.

I’ve been using Lockdown Mode for years, and I rarely think about it except for the occasional potentially confusing notification that pops up. Some features that are turned off require you to take additional steps, such as copying a link from a text message and pasting it into your browser. That’s why I and several digital security experts recommend that anyone worried about being targeted by spyware or digital attacks turn on lockdown mode.