Apple says no one using Lockdown mode has been compromised by spyware

Nearly four years after launching a security feature called Lockdown Mode, Apple says it has yet to see a case where someone’s device has been compromised with these additional security protections turned on.

“We are not aware of any successful mercenary spyware attacks against an Apple device that supports Lockdown Mode,” Apple spokeswoman Sarah O’Rourke told TechCrunch on Friday.

It’s the tech giant’s latest assertion that Apple devices with Lockdown Mode can withstand government spyware attacks, after the claim was first made a year after the security feature first appeared.

In 2022, Apple announced Lockdown Mode, an optional series of security protections that turn off certain features in iPhones and other Apple devices that are commonly exploited to compromise targets using spyware. Apple released this security mode specifically to help vulnerable customers defend themselves from threats posed by government spyware made by companies like Intellexa, NSO Group, and Paragon Solutions.

In recent years, Apple has acknowledged that its customers could be compromised by spyware, and has been more active in notifying customers who have been targeted.

Apple has sent out multiple batches of notifications to users in more than 150 countries, alerting them that they may have been compromised using spyware, demonstrating how much visibility the company now has into these types of attacks. Apple has never said how many users it has notified, but it’s safe to assume there are dozens, if not more.

Donncha O Kerbhill, head of Amnesty International’s Security Lab, where it has investigated dozens of spyware attacks, said he and his colleagues “have seen no evidence of an iPhone being successfully compromised by mercenary spyware where lockout mode was enabled at the time of the attack.”

Digital rights organizations such as Amnesty International and the University of Toronto’s Citizen Lab have documented several successful attacks on iPhone users, none of which reported bypassing Lockdown Mode. In at least two cases, Citizen Lab researchers have said publicly that they saw Lockdown mode effectively block spyware attacks, one carried out using NSO’s Pegasus software, and the other using Predator spyware, made by a company that is now part of Intellexa.

In at least one documented case of a spyware attack targeting iPhones, Google security researchers said the spyware would avoid trying to infect the victim if it detected Lockdown Mode, likely as a way to avoid detection.

Lockdown Mode is an important feature that makes it harder for spyware makers to attack Apple users, says Patrick Wardle, an Apple cybersecurity expert and critic.

“I think it’s safe to say that Lockdown Mode is one of the most aggressive consumer-facing hardening features ever,” he told TechCrunch.

By “reducing the attack surface,” Lockdown Mode eliminates many of the techniques typically used to exploit iPhones, forcing spyware makers to use techniques that are more complex and expensive to develop, Wardle explained.

“It kills entire delivery mechanisms/exploit classes, because it blocks most types of message attachments, and restricts WebKit features. This is already a significant reduction in the remotely accessible attack surface, especially for zero-click exploit chains,” he added, referring to exploits that can target people online without any interaction from the victim.

The security mode was likely bypassed, and neither Apple nor independent investigators were able to detect the attack. But given that Apple typically remains publicly silent at the best of times, its latest statement represents an important milestone in lockdown mode.

I’ve used Lock Mode for years, and I barely think about it — except when notifications pop up that can be confusing at times. Some turned off features require you to take an extra step, such as copying and pasting links from text messages to your browser. For this reason, I and many digital security experts recommend that anyone concerned about being targeted by spyware or digital attacks turn on Lockdown Mode.