Researchers from Jamf Threat Labs have exposed a manipulation technique that can fake the lockdown mode on iOS, misleading users into a false sense of security. If a target device is already infected with malware, this technique can deceive the user through visual alterations, making it seem like the lockdown mode is active when it’s actually not.
The lockdown mode, also known as the Block Mode, is a specific security feature introduced in September 2022 aimed at safeguarding Apple devices from potential cyberattacks. Indeed, it has reportedly thwarted several attacks.
“To reduce the potential attack surface that highly specialized illegal spyware could exploit, certain apps, websites, and features are significantly restricted for security reasons, and some functions may not be available,” Apple explains in its support section regarding this feature.
Lockdown mode doesn’t protect against installed malware
However, Jamf researchers caution that while the lockdown mode reduces the attack surface, it cannot prevent the execution of malware on an already compromised device. The function is effective only in reducing the number of entry points available to an attacker before an attack occurs.
If malware is already present on an iPhone, it can introduce a code to create a fake lockdown mode. When a user activates the lockdown mode on such a device, they may see the usual visual cues indicating that the function is active. Yet, in reality, there is no configuration change happening to protect against attacks.
No iOS vulnerability
The researchers have shared technical details in their report on how to implement such a fake lockdown mode. They demonstrate its effects in a short video clip: while the genuine Block Mode protects the user in the Safari browser by prompting an additional security check before downloading a potentially dangerous PDF file, the same file is downloaded immediately without any prompt in the fake lockdown mode.
The researchers emphasize that they did not exploit any iOS vulnerability; it’s solely a manipulation technique for already infiltrated devices. So far, there have been no reported instances of this technique being used for real attacks. The Jamf researchers previously presented a similar manipulation technique in August, then focused on iOS’s airplane mode.