from Hacker News

About Lockdown Mode

by hjuutilainen on 9/14/22, 8:15 PM with 259 comments

  • by ievans on 9/14/22, 8:36 PM

    Notable highlights for me:

    > Lockdown Mode is available in iOS 16 and coming soon in iPadOS 16 and macOS Ventura.

    > Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.

    The first sentence I believe is referring to disabling JIT (just in time compilation of Javascript), which is dangerous as it allocates W+X pages which are often used by the final stage of an exploit. Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT (and this is their justification for why non-Safari browser engines are not allowed on iOS) and even enabling per-thread memory page permissions. Many more details are in this fantastic post from Google's project Zero: https://googleprojectzero.blogspot.com/2020/09/jitsploitatio...

    Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!

  • by teeray on 9/14/22, 8:52 PM

    > Lockdown Mode is not a configurable option for Mobile Device Management by system administrators

    This is the best news. Otherwise, you can bet your IT department would be throwing that switch on for everyone.

  • by miles on 9/14/22, 9:28 PM

    Still waiting for Apple to allow restricting network access (both cellular and WiFi) for specific apps on all devices, not just those sold in China: https://apple.stackexchange.com/a/312430/51806 .

  • by HL33tibCe7 on 9/14/22, 9:51 PM

    This further cements my opinion that Apple is just leaps ahead of anyone else wrt security and privacy these days. They should be applauded for this.

    I look forward to when this comes to iPad. An iPad with a Bluetooth keyboard is an excellent option over a traditional laptop for a high-risk target, and this’ll make it even better.

  • by yosito on 9/14/22, 8:57 PM

    I wonder why all of these settings are grouped together into a "mode" rather than giving users control over each of them individually.

    What if I want to block USB devices, but I want to be able to use shared photo albums?

  • by geoffeg on 9/14/22, 10:25 PM

    I find it interesting that Lockdown Mode doesn't (yet) enable multiple lock screen authentication methods. Requiring Face ID AND a pass code could be useful. (There are rumors that Apple will add Touch ID back to their phones in the future. I'm not sure they'd keep Face ID on a phone with Touch ID but combining those two methods AND requiring a pass code would seem to be the most secure.)

    I'd also like to see some method for quickly wiping the phone or severely disabling it. A friend mentioned that a new scheme for thieves is to ask you for your unlocked phone at gunpoint and then use a cash app to transfer money to one of their accounts. Some way to very quickly (and covertly) wipe your phone would help defend against that attack. (Related: https://www.startribune.com/warrant-grifters-targeting-cash-...)

  • by larsnystrom on 9/14/22, 11:42 PM

    My only worry with this is that Lockdown Mode will be a reason to let the “default” mode be less secure. I understand some security features can cause major inconveniences, and so Apple needs to weigh security against convenience as part of their design process. I just hope they keep striking a good balance there, and won’t use Lockdown Mode as an easy way out of those design questions.

  • by calo_star on 9/15/22, 2:20 AM

    > FaceTime - Incoming FaceTime calls are blocked unless you have previously called that person or contact. Apple Services - Incoming invitations for Apple Services, such as invitations to manage a home in the Home app, are blocked unless you have previously invited that person.

    Well I would like to have these two enabled in regular situation.

  • by _jal on 9/14/22, 8:55 PM

    Unless I'm missing something, I think I plan to just run this all the time. I see very few downsides, personally.

    > web fonts might not be displayed

    Great, I almost always prefer system default fonts.

    > Incoming FaceTime calls are blocked

    Perfect, I don't use it, it is always some scammer.

    > Incoming invitations for Apple Services

    Perfect, I don't care.

    > Shared albums are removed from the Photos app

    I don't use this stuff, I don't care.

    > To connect your device to a USB accessory or another computer, the device needs to be unlocked.

    This seems like it should have always been the default.

    > Configuration profiles can’t be installed

    Perfect, nobody should be trying to manage my phone.

  • by yuan43 on 9/14/22, 8:36 PM

    > Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.

    The list of restrictions doesn't seem to inhibiting - for those who have used it, what are the points that stand out? Is this something designed for habitual use or under specific situations?

  • by Tomte on 9/14/22, 8:46 PM

    I think lockdown mode prevented me from copying text on my iPad and pasting it on the iPhone in WhatsApp, but let me paste it in Apple Notes.

    I'm not sure though, it might have been a bug, it might have been a user error, but I wonder if inter-device copy and paste is limited, too. I haven't read anything about it, though.

    Otherwise I've noticed nothing, except a popup when starting apps for the first time after activating lockdown mode, that lockdown mode is active for the app.

    To me, lockdown mode is a no-brainer. But I don't use very JS-intensive web sites, and never use Apple messages.

  • by mark_l_watson on 9/14/22, 9:43 PM

    I have been running Lockdown Mode for several weeks. It is very rare that my iPhone can not access a web page correctly, etc. iMessage behaves a little differently but I am used to it.

  • by aborsy on 9/15/22, 4:13 AM

    I try it and the experience is good. Barely noticeable. Maybe the sites load a bit slower, and occasionally fonts on some websites don’t render correctly. Otherwise it’s something that many people could just keep turned on.

    Private relay and locked down mode are two of the recent good features in iPhone.

    I am wondering how much is it effective against NSO-style spyware? Like, are they going to still come up with exploits and zero days hacking locked down iPhones, maybe adding 25% to their fees?

    Is there a similar mode in desk and server Linux?

  • by walterbell on 9/15/22, 2:47 AM

    Any startup employees working directly on technology trade secrets or otherwise non-public intellectual property should enable iOS16 lockdown mode.

    Thanks to years of invasive online targeting, bulk data breaches and mobile phone network structural insecurity, it has never been cheaper to screen for higher-than-average-value targets with digital assets that can be exfiltrated.

    Since targeting costs have fallen, it is profitable to target employees below the C-suite, e.g. those in strategic or development roles who routinely need to access sensitive information and digital assets. This applies to enterprise, mobile and WFH environments, e.g. leveraging mobile phone foothold to reach other devices like a home router.

  • by arecurrence on 9/14/22, 9:21 PM

    I was very happy to see this feature announced! I turned it on immediately and so far it has had little negative impact on my life.

    Some apps like Gmail will warn you that Lockdown mode is activated and that it will impact your experience but I have not encountered any drawbacks beyond iMessage links not opening the browser. This is easily worked around by copying them.

    I hope this also blocks incoming calendar invites. Apple has as a feature the automatic addition of calendar invites... spammers soon noticed this and send out calendar invites with their favorite links that can clutter it up.

  • by MuffinFlavored on 9/15/22, 2:38 AM

    "jeff bezos get caught cheating on his wife by saudi prince" mode?

  • by aborsy on 9/15/22, 4:23 AM

    The audience for this is broader than journalists and human rights activists.

    Executives, politicians, government figures, engineers and scientists with access to intellectual property, lawyers, … will all benefit from this mode.

    Think of nations stealing trade secrets and technological know-how from each other. Or how much money you could make hacking iPhone of an employee or CEO of a company that might provide inside information.

  • by smarterthanyou_ on 9/15/22, 8:18 AM

    I am not sure if Lockdown Mode is a lot of help if it can easily be detected by websites:

    https://www.vice.com/en/article/epzpb4/websites-can-identify...

  • by notart666 on 9/14/22, 11:11 PM

    I don't really see why this matters when Apple also installs backdoors into their phones and grants nation states the exploits to attack dissidents for any person or group that would need a feature like this, apple is the last company I'd trust to protect me from an authoritarian regime.

  • by calsy on 9/14/22, 9:45 PM

    Obviously these types of features are welcome, even though they are apply to an incredibly small group of people. I cant help but feel the 'personal security' push from Apple and its marketing is rather self serving.

    Apple is under more legal pressure than ever for its apparent 'anti-competitive' practices. They have on many occasions pushed the line of user privacy and security to defend their business. Features like this benefit a small group of people, but help Apple enormously in defending itself from litigation.

    Edit: Downvote? Why are companies given the benefit of the doubt as if they were human and caring when they are clearly not! Large listed tech companies like Apple will ALWAYS act in their own interest first. User privacy is the advantage Apple has over its competitors who rely on free services and advertising. It is in their OWN INTEREST to pursue this path which in turn impacts others ability to compete. Must we continue to be so grossly naive?

  • by steve_john on 9/14/22, 11:28 PM

    Lockdown Mode is an optional, it is a extreme protection that's designed for the very few individuals who, because of who they are or what they do, Lockdown might be personally targeted by some of the most sophisticated digital threats.

  • by jbverschoor on 9/15/22, 8:17 AM

    Lockdown Mode should be the default, and people should actively enable it. There's nothing anyone would want, except maybe shared albums. Those are from people you trust not to upload any images that exploit something.

  • by Nifty3929 on 9/15/22, 10:29 PM

    Why can’t I have the option to turn off my GPS? That seems so important and easy.

    Question: If I turn off cell, like with airplane mode, is it truly, completely off, with no cell tower pings and such?

  • by randyrand on 9/14/22, 9:10 PM

    A big shortcoming - 3rd party apps.

    Many hacks these days exploit Whatsapp incoming message processing, etc.

    Every app with push notification support increases your attack surface.

  • by int_19h on 9/15/22, 3:25 AM

    The trend towards disabling JIT for the sake of security is interesting. I wonder what effect this will have on wasm adoption.

  • by nr2x on 9/15/22, 12:21 AM

    Does lockdown mode also disable iCloud backup?

  • by perryizgr8 on 9/15/22, 3:53 AM

    Will lockdown mode stop your phone from scanning your photos and sending them to Apple/FBI?

    https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...

  • by MMS21 on 9/14/22, 9:20 PM

    Looks like they're preparing for sideloading (LFG!)

  • by mikotodomo on 9/15/22, 2:43 AM

    Wow, with this and the iPhone 14's camera, they are massively ahead of all other companies. It makes me happy that I bought their products and helped create this.

  • by etaioinshrdlu on 9/15/22, 3:03 AM

    The funny thing is that someone notable (and likely rich and successful) gets a much worse-functioning device because of this mode.

  • by jaimex2 on 9/14/22, 11:59 PM

    Basically, Windows Server mode.

  • by maybelsyrup on 9/14/22, 9:40 PM

    Does anyone think that Lockdown Mode was allowed to roll out without the American security state feeling comfortable that they're able to defeat it by pressing a button?

  • by ffhhj on 9/14/22, 9:28 PM

    > 3. Under Security, tap Lockdown Mode and tap Turn On Lockdown Mode.

    > 4. Tap Turn On Lockdown Mode.

    Tap twice? ;)

  • by Arrath on 9/14/22, 8:36 PM

    The ability to exclude apps or websites from the lockdown seems at the face of it to reintroduce attack surface that lockdown mode is meant to prevent.

    Countdown to some 0day no-click exploit that adds an app or service or site to the exclusion list and then proceeds with a further attack?

  • by lizardactivist on 9/14/22, 9:55 PM

    Important to understand is that "provisioned access" as given to the US government is not considered to be a cyber attack, and lockdown mode will not help you there.

    Also, it appears you cannot use configuration profiles in lockdown mode, meaning you may not be able to use DNS over TLS or HTTPS.

  • by ThinkBeat on 9/14/22, 8:57 PM

    These things are godo and bad.

    It is nice to make the effort, and it might be dome good. and allow a lot of people to feel l33t

    It is bad if people at proper risk think they are safe once it is enabled. (and those, to me, appear to be the people this is marketed for)