from the breaking-privacy-eggs-to-make-security-omelettes dept
Israeli exploit developer NSO Group has drawn a lot of heat over the past several months after it was revealed its malware had been deployed by its customers to target dissidents, journalists, opposition leaders, and other people governments don’t like but aren’t normally considered to be terrorists or criminals.
The sleek, award-winning Pegasus malware developed by NSO Group often targeted iPhone users — users who probably assumed the company’s commitment to user security made them impervious to hacking. These users were wrong. The zero-click exploit allowed government agencies to fully compromise phones without requiring any interaction from their targets.
In response, Apple patched its software, sued NSO Group, and began notifying suspected targets of Pegasus malware. Then it went further, upping its security game to protect users who felt they were more likely to be targeted by governments using NSO malware.
Last month, it introduced “Lockdown Mode” as a direct response to widespread hacking utilizing NSO exploits. This option will protect all Apple devices, including phones, iPads, and laptops. The option only takes a single button press to engage, prompting a reboot that deploys the new mode, preventing devices from accessing common attack vectors like message attachments, previewing web links, and wired connections to other devices (an option useful to government entities and malicious state hackers who have physical access to target devices).
This is a trade-off Apple is offering to all users, but something most likely to be used by those often targeted by malicious government hacking: dissidents, journalists, lawyers, politicians, religious leaders, etc. The mode limits what users can do with their devices in order to prevent government entities from doing things to these devices.
There is an unfortunate side effect to this privacy/security trade-off, as Lorenzo Franceschi-Bicchierai reports for Motherboard. The things “Lockdown Mode” prevent devices from doing might be immediately noticeable by those unable to do the things the mode prevents.
John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables.
“Let’s say you’re in China, and you’re using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode,” Ozbay said in a call. “It’s a tradeoff between security and privacy. [Apple] chose security.”
Yikes. That means governments could prowl their own site logs for anomalies like these to find people who might be trying to keep these same governments out of their business (and devices).
This proof-of-concept site only looked for the loading of custom fonts, or in this case, the lack thereof. Other features common to sites that are blocked by Apple’s ultra-security mode could be scrutinized to draw the same conclusions.
The good news is this method of working backwards from anomalies to assumptions doesn’t necessarily mean those looking for these anomalies for surveillance reasons will necessarily be able to target devices (or users). These anomalies will definitely stand out if people are looking for them, but it doesn’t appear to collect enough information from locked devices to make targeting easy.
That being said, it’s enough to make security-conscious users stand out, and those prowling for this info might be able to draw inferences about repeat visitors or at least draw some conclusions about the makeup of web traffic.
Apple did not release an official statement but presumably the company knew this would be a possible outcome and traded a small bit of privacy for much bigger security gains. But that’s true of nearly any effort that raises the bar for either privacy or security. Things done or not done tend to stand out when most web traffic behaves far more predictably. Hopefully, the security provided by lockdown mode will mitigate the extra attention it draws to itself.