Apple says no one using Lockdown Mode has been hacked with spyware

Apple’s groundbreaking security feature, Lockdown Mode, has reached a significant milestone, with the tech giant reporting no known successful mercenary spyware attacks against devices where the enhanced protections have been activated. Nearly four years since its introduction, this opt-in security measure continues to prove its efficacy against sophisticated, state-sponsored digital threats.

“We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device,” Apple spokesperson Sarah O’Rourke confirmed to TechCrunch on Friday, reiterating a claim first made a year after the feature’s debut. This latest affirmation underscores Apple’s confidence in Lockdown Mode’s ability to withstand the persistent and often insidious assaults from government-backed spyware.

The Genesis of Lockdown Mode

Apple initially unveiled Lockdown Mode in 2022, introducing it as an optional but robust series of security protections for iPhones, iPads, and Macs. The primary impetus for its development was to offer a stronger defense mechanism for high-risk individuals – such as journalists, human rights activists, dissidents, and government officials – who are frequently targeted by mercenary spyware. Companies like NSO Group, Intellexa, and Paragon Solutions have become notorious for developing and selling these powerful surveillance tools, which can often infiltrate devices without any user interaction.

Lockdown Mode works by significantly "hardening" the device’s defenses. It achieves this by selectively disabling or restricting features that are commonly exploited as entry points for spyware attacks. These restrictions include:

• Messages: Most message attachment types, other than images, are blocked. Certain features like link previews are also disabled. This is crucial because zero-click exploits often leverage vulnerabilities in message processing to gain initial access.
• Web Browsing: Certain complex web technologies, such as just-in-time (JIT) JavaScript compilation, are disabled unless a user explicitly excludes a trusted site. This limits the attack surface presented by malicious websites.
• Apple Services: Incoming invitations and service requests, including FaceTime calls from unknown numbers, are blocked if the user has not previously sent the initiator a request or called them.
• Shared Albums: Shared Albums are removed from the Photos app, and new Shared Album invitations are blocked.
• Wired Connections: When an iPhone is locked, wired connections with a computer or accessory are blocked.
• Configuration Profiles: Installation of configuration profiles, a method sometimes used for covert surveillance, is prevented.

By "shrinking the attack surface," as Apple cybersecurity expert Patrick Wardle described it, Lockdown Mode forces spyware developers to contend with a much smaller and more secure environment. This dramatically increases the complexity, cost, and difficulty of developing effective exploits. Wardle elaborated, calling it "one of the most aggressive consumer-facing hardening features ever shipped." He explained that it "kills entire delivery mechanisms/exploit classes," particularly targeting "zero-click exploit chains," which are the most dangerous as they require no interaction from the victim.

Apple’s Evolving Stance on Spyware

In recent years, Apple has openly acknowledged the threat posed by mercenary spyware and has adopted a more proactive stance in notifying its customers about potential targeting. This marks a significant shift from earlier periods when tech companies were often less transparent about such sophisticated threats.

Apple has issued numerous batches of notifications to users in over 150 countries, alerting them to the possibility that their devices may have been compromised by state-sponsored spyware. While the company has not disclosed the exact number of users notified, it is widely believed to be in the dozens, if not more, indicating a growing visibility into these types of attacks. This proactive notification system, combined with robust security features like Lockdown Mode, demonstrates Apple’s commitment to protecting its user base from increasingly sophisticated digital threats. Furthermore, Apple has initiated legal action against some spyware firms, reinforcing its stance against the proliferation of these surveillance tools.

Independent Verification and Real-World Impact

The effectiveness of Lockdown Mode is not merely an assertion from Apple; it has been independently corroborated by leading digital rights organizations and cybersecurity researchers.

Donncha Ó Cearbhaill, the head of the security lab at Amnesty International, a prominent organization that has investigated dozens of spyware attacks globally, stated unequivocally, “We have not seen any evidence of an iPhone being successfully compromised by mercenary spyware where Lockdown Mode was enabled at the time of the attack.” This independent verification from a highly respected investigative body lends substantial credibility to Apple’s claims.

Similarly, the University of Toronto’s Citizen Lab, another esteemed research group specializing in digital espionage, has documented numerous successful attacks on iPhone users. Crucially, none of their investigations have ever indicated a successful bypass of Lockdown Mode. In fact, Citizen Lab researchers have publicly reported at least two instances where Lockdown Mode actively thwarted spyware attacks. One such case involved NSO Group’s infamous Pegasus spyware, and another involved Predator spyware, developed by a company now associated with Intellexa. These real-world examples highlight Lockdown Mode’s tangible defensive capabilities.

Further underscoring its deterrent effect, security researchers at Google have observed that some spyware, such as the CORUNA iOS exploit kit, is programmed to abort its infection attempts if it detects that Lockdown Mode is enabled on a target device. This behavior is likely a strategy to evade detection, as a failed exploit attempt might alert the user or security researchers to the presence of an attack. The fact that spyware itself recognizes and avoids Lockdown Mode-enabled devices speaks volumes about its effectiveness.

The Significance of No Known Hacks

While it’s always possible that an attack bypassing Lockdown Mode could have occurred without being detected by Apple or independent investigators, the absence of any public or privately confirmed breaches after nearly four years is a remarkable achievement in the high-stakes world of state-sponsored cyber warfare. Apple’s public statement, coming from a company typically reserved about its security capabilities, marks a significant milestone for the feature and for user security more broadly.

For everyday users, particularly those who might be at higher risk, Lockdown Mode offers an unparalleled layer of protection. While it does introduce minor inconveniences by restricting certain functionalities – for instance, requiring an extra step to copy and paste links from text messages into a browser – the trade-off for enhanced security is overwhelmingly positive. As the author of this report notes from personal experience, after years of using Lockdown Mode, its presence is barely noticeable, save for occasional, albeit sometimes confusing, notifications.

The unanimous recommendation from digital security experts, including the author, is clear: anyone concerned about being targeted by mercenary spyware or other sophisticated digital attacks should activate Lockdown Mode. It represents a formidable barrier against some of the most advanced and intrusive surveillance tools currently in existence, offering peace of mind in an increasingly complex digital threat landscape. The ongoing success of Lockdown Mode illustrates the critical role that proactive security features play in protecting fundamental rights and freedoms in the digital age.