The spyware, called Pegasus, is complex. Basically, it works by taking advantage of zero-day, zero-click exploits on iPhones and Android phones. Zero-day exploits are exploits not yet known to the phone manufacturers and can often be installed remotely on a target’s phone via a simple text message or other link sent, no user interaction required (i.e. “zero-click” ). Once Pegasus is installed, virtually anything a target does on the phone can be accessed and controlled by the NSO client targeting the user.
NSO’s Pegasus spyware is called a threat to democracy. Its use in addressing journalists and human rights activists is one of the reasons Apple has filed a lawsuit against the company to ban it from using Apple’s products and services. That would make it much harder for NSO to find zero-day exploits on Apple devices.
But Apple doesn’t rely solely on the courts to fight NSO Group, Pegasus and spyware makers around the world. The company has announced that it will soon be launching a new feature on its iPhones, iPads and Macs called “Lockdown Mode”.
This feature, which will be released this fall as part of iOS 16, iPadOS 16, and macOS Ventura, is what Apple calls an “extreme” solution for those who may be targeted by Pegasus and other highly sophisticated spyware. You can see why Apple thinks Lockdown Mode is extreme: when users activate it, many of their iPhone’s features will be rendered useless.
Here’s how it works: If users think they’re at risk from a spyware attack or are warned that they’re the victim of a spyware attack (something Apple has been doing since November 2021), they can quickly turn on Lockdown Mode , which is located in the Privacy & Security of the Settings app. Once users select Lockdown mode, their iPhone, iPad, or Mac will reboot and the following features will not be available:
- All message attachments in the Messages app, except photos, from all senders
- FaceTime Calls From People You Haven’t FaceTimed Before
- Several web browser technologies have been blocked, including advanced technologies such as just-in-time (JIT) JavaScript compilation
- Shared photo albums and new requests for shared albums in the Photos app
- Wired connections from an iPhone to another device (using a USB cable), when the iPhone is locked
- Invitations in Apple Services from people you haven’t interacted with before
- Configuration profiles, such as those used by VPNs or school networks
What these blocked features have in common is that they are often the vectors that deliver zero-day, zero-click exploits.
Fortunately, most Apple users never have to worry about Lockdown Mode: most people probably won’t be the target of highly complex spyware, such as Pegasus. However, for those at risk, Lockdown Mode should be a huge boon as it quickly locks down all known spyware access paths to an iPhone.
Problems in sight
In the coming years, the worldwide use of spyware by military or mercenaries is only expected to increase, endangering the safety or even the lives of thousands of journalists and human rights defenders. Apple says it has already detected spyware use against its users from 151 countries around the world. However, the company declined to reveal how many users were targeted, citing the ongoing lawsuit against the NSO Group.
On a positive note, Apple says that Lockdown Mode in its current form would have successfully thwarted all past attempts at Pegasus spyware attacks, based on all currently known exploit vectors. Still, Apple recognizes that the fight against spyware is a cat-and-mouse game. That’s why Lockdown Mode is extensible: if new exploits are detected in the future, Apple will tweak the feature to combat them.
Lockdown Mode is available in the current developer betas of iOS 16, iPadOS 16, and MacOS Ventura and will ship to all users this fall with the public release of those operating systems. Ivan Krstić, Apple’s chief of security engineering and architecture, announced the feature: “Lockdown Mode is a groundbreaking capability that reflects our unwavering commitment to protecting users from even the rarest, most sophisticated attacks. Although the vast majority of users will never fall victim to highly targeted cyberattacks, we will work tirelessly to protect the small number of users that are.”