Fake Lockdown Mode attack can fool you into thinking your iPhone is protected when it really isn't
Lockdown Mode can be manipulated on compromised iPhones
Apple’s Lockdown Mode was designed to protect iPhones from state-sponsored hackers and spyware, but now it appears that it could be used to trick unsuspecting users into having a false sense of security.
As reported by The Hacker News, security researchers at Jamf have identified a post-exploitation tampering technique that makes it appear like Lockdown Mode is enabled when it really isn’t.
First introduced with iOS 16, Lockdown Mode hardens defenses on the best iPhones by strictly limiting certain functions. While inconvenient for most, it can be really useful for those who are particularly vulnerable or prone to being targeted by organizations like the NSO Group which developed the Predator spyware.
However, Jamf has now shown in a new report that if a hacker has already compromised your iPhone, Lockdown Mode can be bypassed when you go to turn it on. This isn’t the kind of attack that most people will need to worry about, but it could be devastating for those who rely on Lockdown Mode for extra security.
Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.
Preferred partner (What does this mean?)
Creating a false sense of security
If a hacker manages to infect your iPhone with malware, “there are no safeguards in place to stop the malware from running in the background” regardless of whether Lockdown Mode is activated, according to Jamf.
To demonstrate how Lockdown Mode can be faked, Jamf’s researchers created a file named “/fakelockdownmode_on” which they put onto a compromised iPhone. When Lockdown Mode was activated on this device, instead of actually rebooting and enabling it, the phone allowed Jamf’s injected code to maintain control over the security feature.
It’s worth noting that this technique can also be used to allow malware that lacks persistence to continue running on a compromised iPhone even after a reboot so that it can continue spying on a targeted user.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
From here, Jamf’s researchers used a similar trick to make Apple’s Safari browser appear that it was running in Lockdown Mode even when it wasn’t. This allowed the researchers to view PDF files in Apple’s browser even though doing so is normally blocked when Lockdown Mode is turned on.
Unlike the best antivirus software, which can detect both new and existing malware, Lockdown Mode is really only effective before an attack takes place. Fortunately for frequent Lockdown Mode users, hackers have not yet been observed using this technique according to Jamf and now that Apple has been made aware of it, there’s a chance a permanent fix will arrive alongside iOS 18.
How to keep your iPhone safe from hackers
When it comes to keeping your iPhone protected from cyberattacks and malware, the first and most important thing you can do is to keep it up to date. This means installing all of the latest updates and security patches as soon as they become available.
Although this can be time consuming as well as a bit annoying, hackers frequently target users that have not updated their devices yet with exploits made for known vulnerabilities. By keeping your iPhone updated though, you can avoid falling victim to these kinds of attacks.
While there isn’t an iPhone equivalent to the best Android antivirus apps due to Apple’s own restrictions, one of the best Mac antivirus software solutions does provide a workaround for those that want to scan their iOS devices for malware.
With Intego Mac Internet Security X9 or Intego Premium Bundle X9, all you have to do is plug in your iPhone or iPad to your Mac using a USB cable and the software will scan it for viruses. This is a really useful feature, especially as this new Lockdown Mode bypassing technique requires that an iPhone is already compromised by malware to work.
iPhones have a reputation for being more secure than the best Android phones, but this also makes them a prime target for cybercriminals and state-sponsored hackers looking to get rich quickly.
More from Tom's Guide
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.