Researchers at Jamf Threat Labs on Tuesday posted a new report that explains how an iPhone can be hacked to display a fake version of Lockdown Mode, fooling the owner into thinking that their iPhone is secure.
Introduced in iOS 16, Lockdown Mode can be enabled if a user believes they are in a situation where they are a target for spyware. Available in iOS and iPadOS via the Privacy & Security settings, Lockdown Mode stops your device from performing certain functions that are used to install spyware, such as the ability to view images in the Messages app, or JavaScript in Safari. (Lockdown Mode is available in macOS as well, but Jamf’s research is specific to iOS and iPadOS.)
When a user turns on Lockdown Mode, the device needs to restart to put the changes into effect. Jamf discovered that it could create a bypass for this restart by having iOS trigger “a file named /fakelockdownmode_on
,” which would then initiate a userspace reboot, not the system reboot that is required. Jamf posted a video that shows the fake Lockdown Mode in action.
Lockdown Mode could be interpreted as antivirus software that detects when a device has been compromised, but that is incorrect. Lockdown Mode is a method to prevent infection, but, as Jamf points out, “iPhone users should be aware that if their device has already been infected, activating Lockdown Mode will not affect a trojan that has already breached the system.”
Jamf’s demonstration is a proof of concept. “This is not a flaw in Lockdown Mode or an iOS vulnerability, per se; it is a post-exploitation tampering technique that allows the malware to visually fool the user into believing that their phone is running in Lockdown Mode,” said Jamf. The researchers also point out that this technique has not been observed in the wild.
How to protect yourself from fake Lockdown Mode
For a hacker to create a fake Lockdown Mode scenario, successful access to the device is needed. It’s important to use security features such as Face ID or Touch ID and to use a complex passcode. Don’t open links in messages from unknown users or let unfamiliar people use your device. Fortunately, Jamf’s concept is somewhat complicated to execute, so it’s unlikely that an everyday user will be a target.
Apple has not commented on Jamf’s findings. The company will likely create a patch in a future iOS update to address the issue, so it’s important to update your device’s operating system on a regular basis.