Apple hits hard against ‘mercenary’ surveillance-as-a-service industry


Apple dealt a major blow to the mercenary surveillance-as-a-service industry, introducing a new, highly secure Lockdown Mode to protect those most at risk from targeted attacks. The company is also offering millions of dollars to support research to uncover such threats.

Starting with iOS 16, iPadOS 16, and macOS Ventura, and now available in the latest developer-only betas, Lockdown Mode hardens security and limits functionality sometimes abused by state-sponsored surveillance hackers. Apple describes this protection as “significantly reducing the attack surface that can potentially be exploited by highly targeted rental spyware.”

In recent years, a series of targeted spyware attacks on journalists, activists and others have come to light. Names like Pegasus, DevilsTongue, Predator, Hermit and NSO Group have undermined trust in digital devices, exposing the risk posed by semi-private entities and the threat they pose to civil society. Apple has made no secret of its opposition to such practices, filing a lawsuit against the NSO Group in November and promising to oppose such practices wherever it can.

“Apple’s recently released Lockdown Mode will reduce the attack surface, increase costs for spyware companies, and thus make it much harder for repressive governments to hack into high-risk users,” said John Scott-Railton, senior researcher at the Citizen Lab from the University of Toronto’s Munk School of Global Affairs and Public Policy.

“We congratulate [Apple] for providing protection to human rights defenders, heads of state, lawyers, activists, journalists and more,” tweeted the EFF, an advocacy group for privacy.

What Does Lockdown Mode Do?

Right now, Apple says that Lockdown Mode offers the following protections:

  • Messages: Most message attachment types other than images are blocked. Some features, such as link previews, are disabled.
  • Surf: Certain complex web technologies, such as just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, will be blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when an iPhone is locked.
  • Configuration Profiles cannot be installed and the device cannot be enrolled in mobile device management (MDM) while the lock mode is enabled.

Ivan Krstić, Apple’s head of Security Engineering and Architecture, notes that Lockdown mode can be applied to devices already enrolled in an MDM service. “Pre-existing MDM enrollment will be preserved when you enable Lockdown Mode,” he says tweeted

The company says it plans to expand the protections Lockdown Mode provides over time and has invested millions in security research to identify vulnerabilities and increase the integrity of this protection.

How to Enable Lockdown Mode

Apple Lockdown Mode Update 2022 Protections Apple

Enable Lockdown Mode. (Click image to enlarge.)

  • Lockdown mode is enabled in Settings on iPhones and iPads and in System settings on macOS.
  • You will find it as an option in Privacy and Securitylisted at the bottom of the page.
  • Tap Lock Mode and you will be told that it provides “extreme, optional protection that should only be used if you believe you are personally the target of a highly sophisticated cyber-attack. Most people are never the target of this type of attack.”
  • The prompts also warn users that certain functions will no longer work as usual. Shared albums are removed from Photos and invites are also blocked.

What is the magnitude of this threat?

These attacks don’t come cheap, which means most people probably won’t be attacked this way. Apple began sending threat alerts to potential victims of Pegasus shortly after it was revealed, saying the number of people targeted by such campaigns is relatively small.

Nevertheless, the scale is international and the company has warned people in about 150 countries since November 2021. A BBC report confirms hundreds of targets and tens of thousands of phone numbers leaked as a result of Pegasus alone from the NSO. The victims include journalists, politicians, civil society advocates, activists and diplomats, so while the numbers are small, the chilling impact of such surveillance is huge.

I believe such technologies will become cheaper and more available over time, so it’s only a matter of time before they become more widely used. Ultimately, the existence of such attacks – whether state sponsored or not – makes the whole world less safe, not safer.

“There is now undeniable evidence from the Citizen Lab investigation and other organizations that the mercenary surveillance industry facilitates the spread of authoritarian practices and massive human rights violations worldwide,” Citizen Lab director Ron Deibert said in a statement. Deibert told CNET he thinks Lockdown Mode will be a “big blow” to spyware companies and the governments that use their products.

“While the vast majority of users will never fall victim to highly targeted cyberattacks, we will work tirelessly to protect the small number of users that are,” Apple’s Krstić said in a statement. “That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world who are doing critically important work unmasking mercenaries carrying out these digital attacks.”

There is little doubt that Microsoft and Google will also move to provide users with similar protections. Google and Meta already provide tools to secure the accounts of those at “increased risk from targeted online attacks”, but these tools don’t go nearly as far as Lockdown mode.

Apples investments in security

Apple is already making huge investments in security. For example, the company has partnered with others in the industry to support password-free authentication, has developed tools to mask IP addresses, and continues to focus on user privacy.

The company is introducing a Rapid Security Response feature for its devices this fall, making it possible to deploy security solutions beyond full security updates and much more. Apple is even investing in improving the security of programming languages, further eroding potential attack surfaces.

The company has now announced further investments in the security community:

  • Apple has also created a new category within the Apple Security Bounty program to reward researchers who believe Lockdown Mode is being bypassed and to help improve security. Bounties are doubled for qualifying findings in Lockdown Mode, up to a maximum of $2,000,000 – the highest maximum bounty payout in the industry.
  • Apple is also providing a $10 million grant, plus any damages awarded under the lawsuit it files against NSO Group, to support organizations that investigate, uncover and prevent highly targeted cyber attacks, including those from private companies that develop state-sponsored spyware for mercenaries. It gives this money to the Ford Foundation’s Dignity and Justice Fund.

What will the Dignity and Justice Fund do?

The fund will provide the first grants later this year, initially aimed at initiatives to expose the use of rental spyware. In the press release announcing the initiative, Apple tells us that these grants will target:

  • Build organizational capacity and improve field coordination of new and existing civil society cybersecurity research and advocacy groups.
  • Support the development of standardized forensic methods to detect and confirm spyware infiltration that meet evidence standards.
  • Enabling civil society to work more effectively with device manufacturers, software developers, commercial security firms and other relevant companies to identify and address vulnerabilities.
  • Raise awareness among investors, journalists and policymakers about the global mercenary spyware industry.
  • Building the capacity of human rights defenders to identify and respond to spyware attacks, including security audits for organizations facing heightened threats to their network

The fund’s grant strategy will be advised by a global technical advisory committee. Early members include Daniel Bedoya Arroyo, digital security services platform analyst at Access Now; Citizen Lab Director Ron Deibert; Paola Mosso, co-deputy director of The Engine Room; Rasha Abdul Rahim, Director of Amnesty Tech at Amnesty International; and Apple’s Kristić.

Ford Foundation Tech and Society Program Director Lori McGlinchey said:

“The global spyware trade targets human rights defenders, journalists and dissidents; it facilitates violence, reinforces authoritarianism and supports political repression. The Ford Foundation is proud to support this extraordinary initiative to support civil society research and advocacy against mercenary spyware. We must build on Apple’s commitment and invite companies and donors to join the Dignity and Justice Fund and mobilize additional resources for this collective struggle.”

What else can you do?

Following revelations about NSO Group last year, Apple released a series of recommendations to help users mitigate such risks. These guidelines don’t even approach the kind of robust protection you can expect from Lockdown Mode, but it makes sense that everyone would follow such practices:

  • Update devices to the latest software, including the latest security solutions.
  • Protect devices with a passcode.
  • Use two-factor authentication and a strong Apple ID password.
  • Install apps from the App Store.
  • Use strong and unique passwords online.
  • Do not click on links or attachments from unknown senders.

In addition, Amnesty Tech is collecting signatures to end this kind of targeted surveillance of human rights defenders. I urge readers to add their signature to mine.

Please follow me Twitteror join AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2022 IDG Communications, Inc.