Lockdown Mode on Apple iPhones [3] [6], introduced by Apple last year [1] [2] [4] [5] [9], is designed to protect high-risk individuals from digital threats [1] [2] [4] [5] [9]. However, security researchers at Jamf Threat Labs have discovered a new tampering technique called Fake Lockdown Mode that can bypass this security feature.
Description
Fake Lockdown Mode is a post-exploitation tampering technique that tricks users into thinking their device is in Lockdown Mode when it is not [2] [4]. By installing malware and using visual cues like device restarts and warnings in Safari, hackers can deceive iPhone users and launch covert attacks on compromised devices. This technique manipulates certain functions and creates a file that initiates a userspace reboot [1] [2] [4] [5], allowing malware to continue running even after a reboot [2] [4] [5]. Additionally, hackers can alter the Lockdown Mode on the Safari web browser to bypass restrictions [9].
It is important to note that this tampering technique is only possible on iPhones that have already been infected with malware [7]. Sophisticated attacks like these are typically targeted at high-risk individuals [7], not regular users [7]. Apple has made it clear that Lockdown Mode is intended for specific individuals at high risk of attacks [7], and enabling the feature may reduce the available features of an iPhone [7].
To address this vulnerability [8], Apple has elevated Lockdown Mode to the kernel level in iOS 17 [2] [4] [5] [9], increasing its security [1]. This discovery comes after a previous method was found to maintain access to an Apple device by tricking the victim into thinking Airplane Mode was enabled [1] [2] [4]. While Jamf has not observed hackers using this technique [6], Apple may release a fix in iOS 18 to further enhance the security of Lockdown Mode. It is worth noting that Lockdown Mode is designed to limit entry points for attackers and reduce the attack surface on iOS devices [3]. It is most effective when enabled before an attack occurs [3] [7].
Conclusion
Lockdown Mode is not antivirus software and does not detect or warn about ongoing attacks [8]. Users should maintain device security by not sharing passwords [8], keeping devices protected [8], and regularly changing passcodes [8]. Apple’s elevation of Lockdown Mode to the kernel level in iOS 17 demonstrates their commitment to addressing vulnerabilities and enhancing security. While Fake Lockdown Mode poses a threat, it is important to remember that it requires an already infected device. By staying vigilant and following best practices, users can mitigate the risks associated with this tampering technique.
References
[1] https://vulners.com/thn/THN:3A34820158EC868D9E510679E58CC138
[2] https://ciso2ciso.com/warning-for-iphone-users-experts-warn-of-sneaky-fake-lockdown-mode-attack-sourcethehackernews-com/
[3] https://theblogbyte.com/news-feed/tricking-lockdown-mode-on-iphones-a-proof-of-concept-technique-revealed/
[4] https://owasp.or.id/2023/12/05/experts-warn-of-sneaky-fake-lockdown-mode-attack/
[5] https://thehackernews.com/2023/12/warning-for-iphone-users-experts-warn.html
[6] https://www.tomsguide.com/news/this-iphone-attack-can-fool-you-into-thinking-its-in-lockdown-mode-how-to-stay-safe
[7] https://appleinsider.com/articles/23/12/05/jamf-shares-exploit-that-fools-users-into-believing-their-hacked-iphone-is-safe
[8] https://rodinanews.co.uk/news/how-fake-lockdown-mode-can-fool-you-into-a-sense-of-security/291205/
[9] https://www.443news.com/2023/12/experts-warn-of-sneaky-fake-lockdown-mode-attack/
