Apple is taking steps to improve security for people like journalists, activists, and politicians with a remarkable setting in iOS 16, iPadOS 16, and macOS Ventura dubbed Lockdown Mode.
This setting hardens an iPhone, iPad, or Mac’s defenses in practice interrupting methods we’ve seen used to compromise devices for highly targeted attacks.
Lockdown Mode stops many message attachment types, disables link previews, turns off specific web browsing technology, blocks invitations and FaceTime calls from unknown sources and locks down wired connections to computers or accessories. In contrast, the device is locked and disables the ability to add new configuration profiles or enroll in mobile device management (MDM).
Lockdown Mode is for people who might be targeted by state-sponsored spyware, but anyone can use it. These areas we know can be vulnerable, as Google’s Project Zero team detailed how iPhones of people targeted by the Pegasus software could be compromised in a “zero-click” scenario by using a GIF to exploit iMessage in the background. Other attacks have repeatedly targeted MDM solutions or used malicious websites to exploit flaws in rendering, and Lockdown Mode closes those doors from the start.
Apple calls it an “extreme, optional” level of protection that’s an apparent response to the growing use of state-sponsored mercenary software like the Pegasus tool developed by NSO Group. Evidence of the software has been found on the devices of journalists like Jamal Khashoggi. According to Bloomberg reporter Mark Gurman, Apple released iOS 16 Developer Beta 3, including Lockdown Mode.
In past years, Apple had been criticized for not working with security researchers to find and close flaws in its platforms as much as other big tech companies before launching an iOS bug bounty program in 2016. It eventually expanded the program to cover other devices in 2019 while saying it would distribute special security research devices to outside researchers.
According to Apple’s head of security engineering and architecture, Ivan Krsti?, “While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are. That includes continuing to design defenses specifically for these users and supporting researchers and organizations worldwide to critically important work exposing mercenary companies that create these digital attacks.”
While introducing the new operating systems at WWDC 2022 in June, Apple said its new Rapid Security Response feature would enable patches for security flaws that roll out faster and can take effect on a Mac without requiring a reboot. iOS 16 and macOS Ventura are also set to include support for new passkey technology that will help eliminate the use of passwords.
Other tech companies have made similar efforts in specific ways, like Google’s Advanced Protection Program for its accounts or the Super Duper Secure Mode Microsoft started testing in Edge last fall. Some small companies have also tried offering hardened Android devices that promise protections against various vulnerabilities. Still, Lockdown Mode is a new level of security that will be available to millions of people once it launches with the latest software updates later this year.
The VR team is testing a new feature that challenges some conventional assumptions many in the browser community hold. The hope is to build something that transforms the modern exploit landscape and significantly raises the cost of exploitation for assaulters. Unfortunately, mitigations include a long history of being bypassed, so we strive for feedback from the community to make something of lasting significance.
Most importantly, we intend to have fun with this project. It includes giving the experiment a slightly provocative name because we think it is funny and a bit too early for something official.
The regular stream of bugs needs frequent security updates, and the ease of exploitation means attackers can fast weaponize exploits, which is helpful when manipulating the patch gap. This problem is not uncommon to V8; this is a common problem among most modern JavaScript engines. Google, Mozilla, Microsoft, and others proactively mitigate this threat with significant static analysis, bug bounties, and fuzzing investments. All of these qualify for rapid identification of some of these problems, but inevitably, a number is missed. JavaScript engines remain a severe security challenge for browsers.
The problem is partly due to a performance technology called “Just-In-Time Compilation” (JIT). JITs were raised to browsers in 2008 to speed up specific tasks in JavaScript. JIT-enabled engines effectively take loosely-typed JavaScript and gather it to machine code before it is needed. This process is sometimes directed to as “speculative optimization.” JavaScript code is optimized via a series of complex processing channels. These changes result in pretty impressive performance gains. Developers have made JavaScript performance comparable to C++, which is unique. However, a lot goes into this procedure. To deliver some viewpoint, here is a high-level overview of a V8 display produced by Google in 2016.
Performance and sophistication often come at a cost, and often we bear this price in the form of security bugs and subsequent patches. For example, CVE (Common Vulnerabilities and Exposures) data after 2019 indicates that roughly 45% of CVEs administered for V8 were related to the JIT engine. Moreover, we understand that attackers also weaponize and abuse these bugs; research from Mozilla reveals that over 50% of the “in the wild” Chrome exploits beat a JIT bug, as illustrated in the charts below.
The reduction of attack surface can potentially improve user security significantly; it would remove roughly half of the V8 bugs that must be resolved. However, it means fewer security updates and occasional emergency patches for users. These updates and patches are standard points of frustration for the clients, particularly those in extensive enterprise backgrounds who must test updates before moving them out.
There are advantages beyond just attack surface reduction. Due to how the V8 JIT works, several impactful comfort technologies cannot be brought to bear in the renderer process. For example, Control-flow-Enforcement Technology (CET), new hardware-based exploit mitigation from Intel, was disabled. Likewise, Arbitrary Code Guard (ACG) was not enabled using RWX memory pages.
Even with these protections, finding vulnerabilities in the operating systems that control so many devices is a valuable endeavor. So Apple says it’s doubling the bounty for “qualifying findings” in Lockdown Mode to $2 million, which it says is the highest maximum bounty payout in the industry. Apple also says that any damages awarded from a lawsuit filed last fall against NSO Group will be added to a $10 million grant to support organizations that “investigate, expose, and prevent highly targeted cyberattacks, including those created by private companies are developing state-sponsored mercenary spyware.”