Spyware mercenary software is one of the most difficult threats to combat. It targets an infinitesimal percentage of the world, making it statistically unlikely for most of us to ever see it. And yet, because it only targets the most influential people (think diplomats, political dissidents, and lawyers), sophisticated malware from private companies that sell to nation-state governments has a devastating effect that is far out of proportion to the small number of people infected. This puts device and software manufacturers in a bind. How can you build something to protect what’s likely well under 1 percent of your user base from malware created by companies like NSO Group, maker of click-free exploits that instantly turn fully-updated iOS and Android devices in sophisticated debugging devices.

No security snake oil here

On Wednesday, Apple previewed a smart option it plans to add to its flagship operating systems in the coming months to combat the threat of mercenary spyware. The company is upfront—almost in your face—that Lockdown mode is an option that will degrade the user experience and is only intended for a small number of users. “Lockdown mode provides an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from the NSO Group and other private companies that develop government-sponsored spyware,” the company said. “Enabling Lockdown in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and severely limits certain features, sharply reducing the attack surface that highly targeted spyware could potentially exploit.” As Apple says, Lockdown mode disables all kinds of protocols and services that run normally. Just-in-time JavaScript—an innovation that speeds up performance by compiling code to the device during runtime—will not run at all. This is likely a defense against the use of JiT-spraying, a common technique used in malware exploitation. While in lock mode, devices also cannot enroll in what is known as mobile device management which is used to install special organization-specific software. Advertising
The full list of restrictions is:

Messages: Most types of message attachments other than images are blocked. Some features, such as link previews, are disabled.

Web Browsing: Some complex web technologies, such as JavaScript just-in-time (JIT) compilation, are disabled unless the user excludes a trusted website from the lock-down mode.

Apple Services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.

Wired connections to a computer or accessory are blocked when iPhone is locked.

A configuration profile cannot be installed and the device cannot be registered with mobile device management (MDM) while the lock mode is enabled.

It’s helpful that Apple is upfront about the additional friction that Lockdown adds to the user experience, because it underscores what every security professional or hobbyist knows: Security always leads to a trade-off for usability. It’s also encouraging to hear of Apple’s plans to allow users to allow the list of sites that are allowed to serve JIT JavaScript while in lockdown mode. Apple may enable a similar whitelist of trusted contacts. Lockdown is a big deal for a number of reasons, the most important of which is that it comes from Apple, a company that is hypersensitive to customer perception. Officially acknowledging that its customers are vulnerable to the scourge of mercenary spyware is a big step. But the movement is great because of its simplicity and specificity. No security snake oil here. If you want better security, learn to do without the services that pose the biggest threat. John Scott-Railton, a Citizen Lab researcher who knows a thing or two about counseling victims of NSO spyware, said the Lockdown feature provides one of the first effective lessons for vulnerable people to follow without completely erasing their their devices. “When you notify users that they’ve been targeted with sophisticated threats, they inevitably ask, ‘How can I make my phone more secure?’” he wrote. “We haven’t had a lot of great, honest responses that really make an impact. Hardening an audio consumer is really out of reach.” 3/There is a common mental barrier between major platforms and operating system developers regarding the integration of high security features. Many unavoidable thoughts, such as: – Worse user experience (especially against the competition!) – Unusual features – More customer support resources required, etc. — John Scott-Railton (@jsrailton) July 6, 2022 Now that Apple has opened the door, it’s inevitable that Google will follow suit with its Android OS, and it wouldn’t be surprising for other companies to follow suit as well. It may also start a useful discussion in the industry about broadening the reach. If Apple allows users to turn off unsolicited messages from unknown people, why can’t they provide the option to turn off the built-in microphone, camera, GPS, or cellular capabilities? One thing everyone should know about the Lockdown feature, at least as described Wednesday by Apple, is that it doesn’t prevent your device from connecting to mobile networks and broadcasting unique identifiers like IMEI and ICCID. This is not a criticism, just a physical limitation. And exchanges are a key part of security. So, if you’re like most people, you’ll never need Lockdown mode. But it’s great that Apple will offer it because it will make us all safer.