Apple last week announced new security features specifically intended to offer “specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware.”
In its announcement, the maker of iPhones, iPads, and Macs stated that its new “Lockdown Mode” represents a “groundbreaking security capability;” Lockdown Mode, which is available to users of a range of devices running Apple’s latest OS beta releases, is supposed to improve device security by limiting certain functionalities and thereby reducing the attack surface on which vulnerabilities can be exploited by advanced attack tools; the new secure mode is intended to combat hacking products such as NSO Group’s Pegasus which has been used by governments around the world to spy on people. Not all of the elements within Lockdown Mode are completely new – some have been available and enabled by users (including me) for years – but, Lockdown mode does dramatically simplify the process of enabling better security on Apple devices.
According to Apple, Lockdown Mode is intended to be used by the small group of people who are likely to be targeted by highly-advanced cyberattacks – a group that seemingly includes me, having myself been targeted by a highly-sophisticated state-sponsored attack in the not-so-distant past.
While Apple’s effort to offer improved security capabilities to people who need them is certainly a noble one, its confidence and messaging to the public are concerning.
To begin with, it is important to understand that, like most vendors, Apple has touted its security features in the past, and, yet, at least some of the dangers against which the new features are intended to protect exist precisely because sophisticated attackers have proven capable of defeating Apple’s security technologies. While the need to undermine new security features and penetrate a reduced attack surface will likely make such attackers’ jobs more difficult, there is no assurance that all vulnerabilities currently being exploited by NSO Group and its counterparts will suddenly become non-exploitable as soon as a user enables Lockdown mode. Likewise, there is no guarantee that producers of advanced attack tools will not discover any new exploitable weaknesses. When one considers that various attackers who have proven capable of circumventing Apple’s security have made fortunes by doing so, and that some of their respective businesses and missions depend on their continuing to do so, it seems unwise to bet that Lockdown Mode will be a panacea. Of course, Apple is not claiming that Lockdown Mode is perfect; I do wonder, however, whether the tone of Apple’s announcement will induce people to use Apple products when they otherwise would not do so due to concerns about potential exposure to highly-sophisticated attacks.
Additionally, keep in mind that while Lockdown Mode may make it more difficult for attackers to exploit social engineering in order to compromise devices, until Apple more strictly controls what apps it allows in its app store, potential government spying remains a major problem. Even in Lockdown mode, for example, people can easily install apps that spy on them. Potentially worse is the fact that, within its hardware, Apple uses various components made in Chinese factories – not exactly a comforting fact for those of us who have been targeted by attacks believed to have been carried out on behalf of the Chinese government.
Also concerning is the fact that in Apple’s Lockdown announcement, Ivan Krstić, the firm’s Head of Security Engineering and Architecture, is quoted as saying that Apple “makes the most secure mobile devices on the market.”
Is that really true?
There appear to be many devices that are far more secure; besides various specialized secure-communication devices, there are also many inexpensive devices commonly sold here in New York City that one could reasonably consider substantially more secure than any modern iPhone. Does Apple really believe, for example, that NSO Group and its counterparts would find it easier to remotely enable spying on users of camera-lacking non-Internet-connected flip phones than on users of modern Apple devices? In the technologically-advanced state of Israel, where the NSO Group is based, for example, there is a large market of so-called “kosher cellphones” that have “no Internet access and can only make and receive calls, have no camera, and cannot even receive SMS messages;” as a result of network configurations, such devices can even automatically block all incoming calls made from any device that doesn’t have a similar lack of capabilities. Are highly-targeted journalists really better off storing data and making calls on iPhones in Lockdown mode than with such “dumb” phones? (Flip phones are not totally immune from government surveillance and action either.)
Of course, Apple’s devices have many more features than the more primitive devices mentioned above – but, that is the point – there are usability tradeoffs made for improvements in security, and Apple’s Lockdown Mode is no different; an Apple device in Lockdown mode will not deliver the same level of usability as its counterparts running in standard mode. Nor should it. The question is where one should draw the line in balancing between usability and security. And, the messaging around Lockdown Mode may induce highly-vulnerable people to err in this regard.
Obviously, I give kudos to Apple for offering Lockdown mode. At the same time, however, I recommend that people who truly believe that they are likely to be targeted by parties using the likes of NSO Group’s Pegasus not rely on such a mode without first consulting an appropriate information-security expert. In the same vain that people at high risk for a dangerous disease should seek the advice of a relevant doctor and not seek to treat themselves, and people charged with crimes should seek the guidance of attorneys and not attempt to defend themselves, people who are likely to be targeted by advanced cyberattacks and for whom the impact of such attacks can be devastating should receive professional assistance from cybersecurity specialist, not attempt a DIY fix by using a one-size-fits-all approach.