"Lockdown Mode" on Apple’s iPhones was able to thwart hacking attempts from NSO Group, a notorious commercial spyware vendor.
The findings come from Citizen Lab, a watchdog group that’s been tracking NSO’s efforts to deliver spyware to a human rights group in Mexico. Last year, NSO Group deployed a new iOS exploit, dubbed “PwnYourHome,” which can secretly infiltrate a user’s iMessages app and tamper with the HomeKit software.
However, Citizen Lab noticed the attack ran into a wall on iPhones that had activated the Lockdown Mode, which arrived in September through iOS 16.
“For a brief period, targets that had enabled iOS 16’s Lockdown Mode feature received real-time warnings when PwnYourHome exploitation was attempted against their devices,” the watchdog group said in the report, which notes NSO Group began delivering the exploit in October.
That’s good news since Apple’s Lockdown Mode was designed to stymie professional spyware vendors from targeting users such as government officials and human rights activists. The optional Lockdown Mode restricts various processes on an iPhone, and while this can disable certain features, it can also prevent hacking attempts from secretly tampering with the OS.
Citizen Lab found that the Lockdown Mode was able to detect and block NSO Group’s PwnYourHome exploit by flagging its attempts to access the iPhone’s Homekit software. “We have seen no recent notifications on Lockdown Mode, nor have we seen any evidence of successful PwnYourHome compromise on Lockdown Mode,” the group added.
Still, this could also mean NSO Group created a workaround to bypass Lockdown Mode since it's spyware is adept at deleting any traces of itself from infected iPhones.
“Given that we have seen no indications that NSO has stopped deploying PwnYourHome, this suggests that NSO may have figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode,” Citizen Lab added.
NSO Group and Apple didn’t immediately respond to a request for comment. But Citizen Lab says it supplied Apple with forensic evidence from its investigations in October and January. So Cupertino has likely already developed new security measures to bolster Lockdown Mode.
Citizen Lab adds: “While any one security measure is unlikely to blunt all targeted spyware attacks, and security is a multi-faceted problem, we believe this case highlights the value of enabling this feature for high-risk users that may be targeted because of who they are or what they do.”
The group's report also mentions uncovering evidence that NSO Group used two other iOS exploits to target iPhones earlier in 2022, before Lockdown Mode became available. Apple has since updated iOS to protect the software from the exploits.
UPDATE: In a statement, an Apple spokesperson said: "We are pleased to see that Lockdown Mode disrupted this sophisticated attack and alerted users immediately, even before the specific threat was known to Apple and security researchers. Our security teams around the world will continue to work tirelessly to advance Lockdown Mode and strengthen the security and privacy protections in iOS.”