iPhone Lockdown Mode is an extreme form of security designed to protect people who might find themselves targets of state-sponsored spyware, like Pegasus. However, a privacy activist says it also makes it easy for a website to detect when someone is using it – and has demonstrated this.
So what is designed to be protection against rogue governments could actually end up helping them identify people who may be of interest …
iPhone Lockdown Mode
Lockdown Mode was developed by Apple in response to spyware like NSO’s Pegasus. Here’s what Apple has to say about it:
Lockdown Mode is an extreme, optional protection that should only be used if you believe you may be personally targeted by a highly sophisticated cyberattack. Most people are never targeted by attacks of this nature.
When iPhone is in Lockdown Mode, it will not function as it typically does. Apps, websites, and features will be strictly limited for security, and some experiences will be completely unavailable.
One of the things the mode does is prevent the loading of custom fonts from websites, as they are one potential way to inject malware.
Using it could make you a target
John Ozbay, CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that it’s this element that creates a risk. It’s trivial for a website to detect when a visitor’s browser cannot load custom fonts, and this signals that the visitor is likely using an iPhone in Lockdown Mode.
“Let’s say you’re in China, and you’re using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode,” Ozbay said in a call. “It’s a tradeoff between security and privacy. [Apple] chose security.”
Ozbay said that there are several features that Lockdown Mode disables, and that websites could detect, but the lack of loading custom fonts is “the easiest thing to detect and exploit.”
To demonstrate just how easy it is to do this, Cryptee created a proof-of-concept website to identify those using Lockdown Mode. Ozbay said it took just five minutes to create the code to do this.
Ryan Stortz, an independent security researcher, agreed that this is a risk.
“Obviously you have to opt into Lockdown Mode and are sorta signaling that you think you’re potentially of interest to a nation state attacker.”
Apple cannot do anything to prevent this
It’s important to point out that this is not a bug in Lockdown Mode, but rather an unavoidable consequence of this type of protection. Stortz likened it to using Tor.
“Fingerprinting is sadly a trade off we always have to deal with. The same is true of Tor and the Tor Browser—they go to huge lengths to reduce any fingerprinting ability but you end up standing out because you’re the one with less traceable fingerprints.”
Not an issue for most people
It’s worth stressing that this is not an issue for a typical iPhone user. Lockdown Mode is designed only for those who have reason to believe that they could be the subject of an individually targeted attack by a nation state. This would typically include diplomats, politicians, activists, human rights campaigners – as well as journalists and lawyers reporting on topics that governments may not wish to be exposed.
Even for those who do need this level of security, it would still require them to visit a website that has the detection code embedded. However, for individual targets, it would not be difficult for a government to make this happen, by including the code on websites that targets have to visit for things like permits and visas.
FTC: We use income earning auto affiliate links. More.