Apple’s Lockdown Mode was designed to protect iPhones from state-sponsored hackers and spyware, but now it appears that it could be used to trick unsuspecting users into having a false sense of security.
As reported by The Hacker News, security researchers at Jamf have identified a post-exploitation tampering technique that makes it appear like Lockdown Mode is enabled when it really isn’t.
First introduced with iOS 16, Lockdown Mode hardens defenses on the best iPhones by strictly limiting certain functions. While inconvenient for most, it can be really useful for those who are particularly vulnerable or prone to being targeted by organizations like the NSO Group which developed the Predator spyware.
However, Jamf has now shown in a new report that if a hacker has already compromised your iPhone, Lockdown Mode can be bypassed when you go to turn it on. This isn’t the kind of attack that most people will need to worry about, but it could be devastating for those who rely on Lockdown Mode for extra security.
Creating a false sense of security
If a hacker manages to infect your iPhone with malware, “there are no safeguards in place to stop the malware from running in the background” regardless of whether Lockdown Mode is activated, according to Jamf.
To demonstrate how Lockdown Mode can be faked, Jamf’s researchers created a file named “/fakelockdownmode_on” which they put onto a compromised iPhone. When Lockdown Mode was activated on this device, instead of actually rebooting and enabling it, the phone allowed Jamf’s injected code to maintain control over the security feature.
It’s worth noting that this technique can also be used to allow malware that lacks persistence to continue running on a compromised iPhone even after a reboot so that it can continue spying on a targeted user.
From here, Jamf’s researchers used a similar trick to make Apple’s Safari browser appear that it was running in Lockdown Mode even when it wasn’t. This allowed the researchers to view PDF files in Apple’s browser even though doing so is normally blocked when Lockdown Mode is turned on.
Unlike the best antivirus software, which can detect both new and existing malware, Lockdown Mode is really only effective before an attack takes place. Fortunately for frequent Lockdown Mode users, hackers have not yet been observed using this technique according to Jamf and now that Apple has been made aware of it, there’s a chance a permanent fix will arrive alongside iOS 18.
How to keep your iPhone safe from hackers
When it comes to keeping your iPhone protected from cyberattacks and malware, the first and most important thing you can do is to keep it up to date. This means installing all of the latest updates and security patches as soon as they become available.
Although this can be time consuming as well as a bit annoying, hackers frequently target users that have not updated their devices yet with exploits made for known vulnerabilities. By keeping your iPhone updated though, you can avoid falling victim to these kinds of attacks.
While there isn’t an iPhone equivalent to the best Android antivirus apps due to Apple’s own restrictions, one of the best Mac antivirus software solutions does provide a workaround for those that want to scan their iOS devices for malware.
With Intego Mac Internet Security X9 or Intego Premium Bundle X9, all you have to do is plug in your iPhone or iPad to your Mac using a USB cable and the software will scan it for viruses. This is a really useful feature, especially as this new Lockdown Mode bypassing technique requires that an iPhone is already compromised by malware to work.
iPhones have a reputation for being more secure than the best Android phones, but this also makes them a prime target for cybercriminals and state-sponsored hackers looking to get rich quickly.
More from Tom's Guide
