Apple's Lockdown Mode: Four Years Without Observed Successful Spyware Attacks

Apple has stated that it has not observed any successful mercenary spyware attacks against devices with its Lockdown Mode security feature enabled, nearly four years after its introduction. Apple spokesperson Sarah O’Rourke confirmed this position, stating, "We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device." This statement marks Apple's latest affirmation of Lockdown Mode's efficacy against government spyware, reiterating a claim initially made a year after the feature's launch.

"We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device."

What is Lockdown Mode?

Introduced in 2022, Lockdown Mode is an opt-in security feature for Apple devices designed to disable certain functionalities frequently exploited by spyware. This mode aims to protect at-risk users from government-developed spyware, including products from companies such as Intellexa, NSO Group, and Paragon Solutions.

Apple has acknowledged the risk of spyware attacks on its customers and has actively notified users in over 150 countries who may have been targeted. The company has not disclosed the total number of users notified.

Expert Observations and Confirmations

Donncha Ó Cearbhaill, head of the security lab at Amnesty International, stated that his team, which investigates spyware attacks, has not observed any successful compromises of iPhones by mercenary spyware while Lockdown Mode was active. Digital rights organizations, including Amnesty International and the University of Toronto’s Citizen Lab, have documented multiple successful spyware attacks on iPhones that did not involve bypassing Lockdown Mode. Citizen Lab researchers have publicly reported instances where Lockdown Mode successfully blocked spyware attacks, including those involving NSO’s Pegasus and Intellexa’s Predator spyware.

Google security researchers have also documented at least one spyware attack targeting iPhones where the spyware would cease infection attempts upon detecting Lockdown Mode, potentially to avoid detection.

A "Significant" Hardening Feature

Patrick Wardle, an Apple cybersecurity expert, described Lockdown Mode as a significant feature that complicates spyware attacks against Apple users. Wardle characterized Lockdown Mode as "one of the most aggressive consumer-facing hardening features ever shipped."

Wardle explained that Lockdown Mode reduces the attack surface by eliminating many common iPhone exploitation techniques, forcing spyware developers to create more complex and costly methods. He noted that the feature blocks various message attachment types and restricts WebKit features, significantly reducing the remotely reachable attack surface, particularly for zero-click exploit chains.

A Notable Milestone and Expert Recommendation

While the possibility of undetected bypasses exists, Apple's recent statement is considered a notable milestone for Lockdown Mode, given the company's usual reticence regarding security details. Digital security experts frequently recommend enabling Lockdown Mode for individuals concerned about spyware or digital attacks, despite some features requiring extra steps due to the mode's restrictions.