Lockdown Mode, an iPhone feature introduced with iOS 16, is not an antivirus, does not detect malware, and cannot prevent malware from operating.
Therefore, hackers can create a fake Lockdown Mode and run malware operating in the background unabated, a report from Jamf Threat Labs has noted.
“Apple‘s Lockdown mode in iOS 16 is a useful feature for certain situations, but if your phone has already been compromised, Lockdown Mode won’t protect you,” the researchers claim. Threat actors can run a Fake Lockdown Mode “which shows that if a hacker has already infiltrated your device, they can cause Lockdown Mode to be “bypassed” when you trigger its activation.”
Making PDFs work
Lockdown Mode was introduced last year with the goal of bringing an extra layer of protection for high-level targets. Think journalists, dissidents, government employees, intellectuals, but also celebrities and similar. It is easy to turn on and makes some features on the endpoint unavailable, and some files blocked.
“By tricking the user into believing that their device is operating normally and that additional security features can be activated, the user is far less likely to suspect any malicious activity is taking place behind the scenes,” Michael Covington, vice president of portfolio strategy at Jamf, told The Hacker News.
“We did not expect that such a widely publicized security feature would have the user interface separated from the implementation reality.”
One of the ways hackers could abuse this flaw is by changing how Lockdown Mode works in Safari and allowing it to view PDF files (which are unavailable when the feature is active).
But Lockdown Mode is not completely useless, the researchers stress. In September this year, CitizenLab discovered that BLASTPASS – a chain of exploits used to deliver the Pegasus malware – was effectively stopped on iOS devices thanks to Lockdown Mode.
