Apple has struck a big blow against the mercenary "surveillance-as-a-service" industry, introducing a new, highly secure Lockdown Mode to protect individuals at the greatest risk of targeted attacks. The company is also offering millions of dollars to support research to expose such threats.
Starting in iOS 16, iPadOS 16 and macOS Ventura, and available now in the latest developer-only betas, Lockdown Mode hardens security defenses and limits the functionalities sometimes abused by state-sponsored surveillance hackers. Apple describes this protection as "sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware."
In recent years, a series of targeted spyware attacks against journalists, activists, and others have been exposed. Names including Pegasus, DevilsTongue, Predator, Hermit, and NSO Group have undermined trust in digital devices and exposed the risk of semi-private entities and the threat they show against civil society. Apple has made no secret that it is opposed to such practices, filing suit against the NSO Group in November and promising to oppose such practices where it can.
"Apple's newly released Lockdown Mode will reduce the attack surface, increase costs for spyware firms, and thus make it much harder for repressive governments to hack high-risk users," said John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy.
"We congratulate [Apple] for providing protection to human rights defenders, heads of state, lawyers, activists, journalists, and more," tweeted the EFF, a privacy advocacy group.
At present, Apple says Lockdown Mode provides the following protections:
Ivan Krsti?, Apple's head of Security Engineering and Architecture, notes that Lockdown Mode can be applied to devices that are already enrolled in an MDM service. "Pre-existing MDM enrollment is preserved when you enable Lockdown Mode," he tweeted.
The company says it intends to extend the protection provided by Lockdown Mode over time and has invested millions in security research to help identify weaknesses and increase the integrity of this protection.
Turning on Lockdown Mode. (Click image to enlarge it.)
These attacks don't come cheap, which means most people are unlikely to be targeted in this way. Apple began sending threat notifications to potential victims of Pegasus soon after it was revealed and says the number of people targeted in such campaigns is relatively small.
All the same, the scale is international, and the company has warned people in around 150 nations since November 2021. A BBC report confirms hundreds of targets and tens of thousands of phone numbers leaked as a result of NSO's Pegasus alone. Victims have included journalists, politicians, civil society advocates, activists, and diplomats, so while the numbers are small, the chilling impact of such surveillance is vast.
I believe that such technologies will become cheaper and more available over time, so it's only a matter of time before they leak into wider use. Ultimately the very existence of such attacks - state-sponsored or not - makes the entire world less safe, not safer.
"There is now undeniable evidence from the research of the Citizen Lab and other organizations that the mercenary surveillance industry is facilitating the spread of authoritarian practices and massive human rights abuses worldwide," said Citizen Lab Director Ron Deibert in a statement. Deibert told CNET he thinks Lockdown Mode will deal a "major blow" to spyware companies and the governments that use their products.
"While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are," said Apple's Krsti? in a statement. "That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks."
There's little doubt Microsoft and Google will also move to provide similar protection to users. Google and Meta already offer tools to secure the accounts of those who are at an "elevated risk of targeted online attacks," but these tools don't go nearly as far as Lockdown Mode.
Apple already makes vast investments in security. For example, the company is working with others in the industry to support password-free authentication, has built tools to mask IP addresses and continues to focus on user privacy.
The company will introduce a Rapid Security Response feature for its devices this fall, which will make it possible to deploy security fixes outside of full security updates and much more. Apple is even investing in improving the security of programming languages, further eroding potential attack surfaces.
The company has now announced further investment in the security community:
The fund will make its first grants later this year, focusing initially on initiatives to expose the use of mercenary spyware. In the press release announcing the initiative, Apple tells us these grants will focus on:
The fund's grant-making strategy will be advised by a global Technical Advisory Committee. Initial members include Daniel Bedoya Arroyo, digital security service platform analyst at Access Now; Citizen Lab Director Ron Deibert; Paola Mosso, co-deputy director of The Engine Room; Rasha Abdul Rahim, director of Amnesty Tech at Amnesty International; and Apple's Krsti?.
Ford Foundation Tech and Society Program director Lori McGlinchey said:
"The global spyware trade targets human rights defenders, journalists, and dissidents; it facilitates violence, reinforces authoritarianism, and supports political repression. The Ford Foundation is proud to support this extraordinary initiative to bolster civil society research and advocacy to resist mercenary spyware. We must build on Apple's commitment, and we invite companies and donors to join the Dignity and Justice Fund and bring additional resources to this collective fight."
Following revelations about NSO Group last year, Apple published a set of recommendations to help users mitigate against such risks. These guidelines do not even approach the kind of robust protection you can expect from Lockdown Mode, but it makes sense for anyone to follow such practices:
Furthermore, Amnesty Tech is gathering signatures to demand an end this kind of targeted surveillance of human rights defenders. I'd urge readers to add their signature to my own.
Please follow me on Twitter, or join me in the AppleHolic's bar & grill and Apple Discussions groups on MeWe.