The Downside Of Apple’s Lockdown Mode: Websites Call Tell If You’re Using It
from the breaking-privacy-eggs-to-make-security-omelettes dept
Israeli exploit developer NSO Group has drawn a lot of heat over the past several months after it was revealed its malware had been deployed by its customers to target dissidents, journalists, opposition leaders, and other people governments don’t like but aren’t normally considered to be terrorists or criminals.
The sleek, award-winning Pegasus malware developed by NSO Group often targeted iPhone users — users who probably assumed the company’s commitment to user security made them impervious to hacking. These users were wrong. The zero-click exploit allowed government agencies to fully compromise phones without requiring any interaction from their targets.
In response, Apple patched its software, sued NSO Group, and began notifying suspected targets of Pegasus malware. Then it went further, upping its security game to protect users who felt they were more likely to be targeted by governments using NSO malware.
Last month, it introduced “Lockdown Mode” as a direct response to widespread hacking utilizing NSO exploits. This option will protect all Apple devices, including phones, iPads, and laptops. The option only takes a single button press to engage, prompting a reboot that deploys the new mode, preventing devices from accessing common attack vectors like message attachments, previewing web links, and wired connections to other devices (an option useful to government entities and malicious state hackers who have physical access to target devices).
This is a trade-off Apple is offering to all users, but something most likely to be used by those often targeted by malicious government hacking: dissidents, journalists, lawyers, politicians, religious leaders, etc. The mode limits what users can do with their devices in order to prevent government entities from doing things to these devices.
There is an unfortunate side effect to this privacy/security trade-off, as Lorenzo Franceschi-Bicchierai reports for Motherboard. The things “Lockdown Mode” prevent devices from doing might be immediately noticeable by those unable to do the things the mode prevents.
John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables.
“Let’s say you’re in China, and you’re using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode,” Ozbay said in a call. “It’s a tradeoff between security and privacy. [Apple] chose security.”
Yikes. That means governments could prowl their own site logs for anomalies like these to find people who might be trying to keep these same governments out of their business (and devices).
This proof-of-concept site only looked for the loading of custom fonts, or in this case, the lack thereof. Other features common to sites that are blocked by Apple’s ultra-security mode could be scrutinized to draw the same conclusions.
The good news is this method of working backwards from anomalies to assumptions doesn’t necessarily mean those looking for these anomalies for surveillance reasons will necessarily be able to target devices (or users). These anomalies will definitely stand out if people are looking for them, but it doesn’t appear to collect enough information from locked devices to make targeting easy.
That being said, it’s enough to make security-conscious users stand out, and those prowling for this info might be able to draw inferences about repeat visitors or at least draw some conclusions about the makeup of web traffic.
Apple did not release an official statement but presumably the company knew this would be a possible outcome and traded a small bit of privacy for much bigger security gains. But that’s true of nearly any effort that raises the bar for either privacy or security. Things done or not done tend to stand out when most web traffic behaves far more predictably. Hopefully, the security provided by lockdown mode will mitigate the extra attention it draws to itself.
Filed Under: lockdown mode, privacy, tracking
Companies: apple, nso group
Comments on “The Downside Of Apple’s Lockdown Mode: Websites Call Tell If You’re Using It”
I’ve got news for John and the readership here:
I currently use the Lockdown app. Guess what it does? It creates a local “VPN” that filters content, including most ads and some regular features such as loading custom fonts.
So there’s no way anyone’s going to be able to tell if I’m in Lockdown mode on my phone, because I’m already filtering that stuff. As are thousands of other people, many of which will never use Lockdown mode.
Re:
It doesn’t matter which thing you are doing, they don’t care about the specific implementation of blocking scripts, etc. They care that you aren’t acting like an I-leave-everything-default user.
Re: Re:
Good point; mine was that they can’t say “That person was in Lockdown mode!” with certainty — all they know is that they were using SOME sort of blocker; it could be the type that mostly blocks ads. So all they get to see is that the user was in a smaller group of users that filter their web content, not that they were in the Lockdown Mode group of users.
Re:
Are you talking about the “Lockdown Privacy” app, rather than the iOS feature “Lockdown Mode” released with iOS 16?
Because Lockdown Mode does not create a VPN. So if you are shiling Lockdown Privacy as some sort of better option – I will remind you that You are literally handing that data to Lockdown Privacy and trusting they act as they claim – a serious issue with VPNs generally, particularly when they are free.
Re: Re:
Sorry, I must not have been clear enough in how I phrased things, since the app and the mode share the same name.
Lockdown Privacy isn’t a VPN; it runs a local loop that uses Apple’s VPN feature to filter out content. Nothing leaves the device. They do offer a paid VPN service if you want to subscribe, but that’s not what I was talking about.
What I was talking about is that to a web server, using Lockdown Privacy (not the VPN) looks exactly the same as if you set your device into Lockdown mode — and since there are thousands of people using Lockdown Privacy, there’s a degree of uncertainty as to whether Lockdown mode has been enabled on the device.
Re: Re: Re:
What is the difference between a “local loop” based “apple vpn” and a normal vpn? I dont know anything about vpn for the record. Also – when I use the lockdown app, it won’t let me use their firewall without allowing the vpn to be clicked on. Why is this? Is this a safety issue or dangerous feature?
This reminds me of the person who tried to cover his tracks by making a bomb threat using Tor; but who was then busted because he IDed himself connecting to the school network and was the only person using Tor on it at the time.
https://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor
This isn’t because of Apple tattling on the user, but the fact its refusing to display any fonts which can make any person who knows anything about browser forensics deduce they are running on a phone with no JS. Similar to Tor disabling javascript and Noscript installations refusing to provide a list of custom fonts due to no JS.
They could load fake fonts but then that would make it easier to ID a lockdown user. They could also pretend to load JS but it would obviously fail to run and break sites.
Re:
Very similar. Tor Browser only does that at the “safest” security setting, which also disables custom fonts and some other stuff.
Blending in with the noise
The best antidote against web-sites or any third-party being able to deduct that you are using ‘lockdown mode’ or other features is for Apple (and other relevant parties) to make lockdown mode as non-intrusive as possible so it can slowly be made a default setting. Thus when everyone is using it nobody really is.
Seeing how lockdown mode disables JIT for the JavaScript runtime which is a major part of recent browser exploits it will be interesting to see what potential exploits will look like.
Call tell?
Re:
Curious that a typo in the headline has lasted so long. Eh… maybe “end of day” and everyone pushed articles and logged off.
Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well.
Well, I don’t know about Chinese mobile broadband users, but I do know that if anyone was to look up my IP address, it will only lead them to Tesco Mobile or O2, not directly to me. So there’s more legwork to do after that point. Way to scare people out of using a security feature, though. Does John Ozbay work for China?
Re:
Does John Ozbay work for China?
More like NSO. 😉
Isn’t this what /dev/null is for?
Re:
How would /dev/null accomplish the same things?
NSO should be shut down
Its illegal to hack anyone, so why is it legal for NSO to sell hacking software? They shouldnt be allowed to sell hacking software to anyone. Not dictators, not police, not the irs. Shut them down.