The Downside Of Apple’s Lockdown Mode: Websites Call Tell If You’re Using It

from the breaking-privacy-eggs-to-make-security-omelettes dept

Israeli exploit developer NSO Group has drawn a lot of heat over the past several months after it was revealed its malware had been deployed by its customers to target dissidents, journalists, opposition leaders, and other people governments don’t like but aren’t normally considered to be terrorists or criminals.

The sleek, award-winning Pegasus malware developed by NSO Group often targeted iPhone users — users who probably assumed the company’s commitment to user security made them impervious to hacking. These users were wrong. The zero-click exploit allowed government agencies to fully compromise phones without requiring any interaction from their targets.

In response, Apple patched its software, sued NSO Group, and began notifying suspected targets of Pegasus malware. Then it went further, upping its security game to protect users who felt they were more likely to be targeted by governments using NSO malware.

Last month, it introduced “Lockdown Mode” as a direct response to widespread hacking utilizing NSO exploits. This option will protect all Apple devices, including phones, iPads, and laptops. The option only takes a single button press to engage, prompting a reboot that deploys the new mode, preventing devices from accessing common attack vectors like message attachments, previewing web links, and wired connections to other devices (an option useful to government entities and malicious state hackers who have physical access to target devices).

This is a trade-off Apple is offering to all users, but something most likely to be used by those often targeted by malicious government hacking: dissidents, journalists, lawyers, politicians, religious leaders, etc. The mode limits what users can do with their devices in order to prevent government entities from doing things to these devices.

There is an unfortunate side effect to this privacy/security trade-off, as Lorenzo Franceschi-Bicchierai reports for Motherboard. The things “Lockdown Mode” prevent devices from doing might be immediately noticeable by those unable to do the things the mode prevents.

John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables. 

“Let’s say you’re in China, and you’re using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode,” Ozbay said in a call. “It’s a tradeoff between security and privacy. [Apple] chose security.”

Yikes. That means governments could prowl their own site logs for anomalies like these to find people who might be trying to keep these same governments out of their business (and devices).

This proof-of-concept site only looked for the loading of custom fonts, or in this case, the lack thereof. Other features common to sites that are blocked by Apple’s ultra-security mode could be scrutinized to draw the same conclusions.

The good news is this method of working backwards from anomalies to assumptions doesn’t necessarily mean those looking for these anomalies for surveillance reasons will necessarily be able to target devices (or users). These anomalies will definitely stand out if people are looking for them, but it doesn’t appear to collect enough information from locked devices to make targeting easy.

That being said, it’s enough to make security-conscious users stand out, and those prowling for this info might be able to draw inferences about repeat visitors or at least draw some conclusions about the makeup of web traffic.

Apple did not release an official statement but presumably the company knew this would be a possible outcome and traded a small bit of privacy for much bigger security gains. But that’s true of nearly any effort that raises the bar for either privacy or security. Things done or not done tend to stand out when most web traffic behaves far more predictably. Hopefully, the security provided by lockdown mode will mitigate the extra attention it draws to itself.

Filed Under: , ,
Companies: apple, nso group

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The Downside Of Apple’s Lockdown Mode: Websites Call Tell If You’re Using It”

Subscribe: RSS Leave a comment
Anonymous Coward says:

John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables.

I’ve got news for John and the readership here:
I currently use the Lockdown app. Guess what it does? It creates a local “VPN” that filters content, including most ads and some regular features such as loading custom fonts.

So there’s no way anyone’s going to be able to tell if I’m in Lockdown mode on my phone, because I’m already filtering that stuff. As are thousands of other people, many of which will never use Lockdown mode.

Anonymous Coward says:

Re: Re:

Good point; mine was that they can’t say “That person was in Lockdown mode!” with certainty — all they know is that they were using SOME sort of blocker; it could be the type that mostly blocks ads. So all they get to see is that the user was in a smaller group of users that filter their web content, not that they were in the Lockdown Mode group of users.

James Burkhardt (profile) says:


Are you talking about the “Lockdown Privacy” app, rather than the iOS feature “Lockdown Mode” released with iOS 16?

Because Lockdown Mode does not create a VPN. So if you are shiling Lockdown Privacy as some sort of better option – I will remind you that You are literally handing that data to Lockdown Privacy and trusting they act as they claim – a serious issue with VPNs generally, particularly when they are free.

Anonymous Coward says:

Re: Re:

Sorry, I must not have been clear enough in how I phrased things, since the app and the mode share the same name.

Lockdown Privacy isn’t a VPN; it runs a local loop that uses Apple’s VPN feature to filter out content. Nothing leaves the device. They do offer a paid VPN service if you want to subscribe, but that’s not what I was talking about.

What I was talking about is that to a web server, using Lockdown Privacy (not the VPN) looks exactly the same as if you set your device into Lockdown mode — and since there are thousands of people using Lockdown Privacy, there’s a degree of uncertainty as to whether Lockdown mode has been enabled on the device.

Anonymous Coward says:

This isn’t because of Apple tattling on the user, but the fact its refusing to display any fonts which can make any person who knows anything about browser forensics deduce they are running on a phone with no JS. Similar to Tor disabling javascript and Noscript installations refusing to provide a list of custom fonts due to no JS.

They could load fake fonts but then that would make it easier to ID a lockdown user. They could also pretend to load JS but it would obviously fail to run and break sites.

Anonymous Coward says:

Blending in with the noise

The best antidote against web-sites or any third-party being able to deduct that you are using ‘lockdown mode’ or other features is for Apple (and other relevant parties) to make lockdown mode as non-intrusive as possible so it can slowly be made a default setting. Thus when everyone is using it nobody really is.

Seeing how lockdown mode disables JIT for the JavaScript runtime which is a major part of recent browser exploits it will be interesting to see what potential exploits will look like.

Naughty Autie says:

Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well.

Well, I don’t know about Chinese mobile broadband users, but I do know that if anyone was to look up my IP address, it will only lead them to Tesco Mobile or O2, not directly to me. So there’s more legwork to do after that point. Way to scare people out of using a security feature, though. Does John Ozbay work for China?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...