It turns out that visually mimicking this Fake Lockdown Mode without incorporating any of the original mode’s security features is possible.
Cybersecurity researchers at Jamf Threat Labs have discovered a new technique that allows malware to bypass Lockdown Mode on iOS devices. For your information, Lockdown Mode is a security feature introduced by Apple in iOS 16 to limit certain features/functions on an iOS device so that compromising the device becomes difficult for attackers.
Researchers found that the mode’s primary control is through user-space components, and it isn’t integrated deeply into the iOS kernel. This flaw offers threat actors an opportunity for malware to bypass the Lockdown Mode’s restrictions by altering the user’s default database or using method hooking techniques.
Jamf Threat Labs’ researchers noted that visually mimicking this Fake Lockdown Mode without providing any of the original mode’s security features is possible. It is worth noting that successful implementation of this technique is possible if the device is already compromised.
What happens is that when a user activates Lockdown Mode through the Settings app, the method is triggered, which initiates a sequence of actions, including disabling shared albums, link previews, developer mode, and enabling USB restricted mode. Additionally, it sets the LDMGlobalEnabled key in the user’s default database to “YES,” indicating that Lockdown Mode is active.
Simply put, on an already infiltrated device, a hacker can cause Lockdown Mode to be “bypassed” when the user triggers its activation. So, a user would think their device is in Lockdown Mode, but it is not and will remain vulnerable to attacks.
In their demo video, researchers created a scenario where malware intercepts Lockdown Mode activation, and instead of triggering the expected sequence, it creates a file titled “/fakelockdownmode_on.”
Then, it initiates a user space reboot and tricks the system into believing that the Lockdown Mode is active. The researchers could maintain control over Lockdown Mode by manipulating the device’s reboot process. The malware could continue to run and monitor the user’s activity, even if they had taken steps to safeguard their device.
The researchers also manipulated Lockdown Mode in Safari, one of the most commonly used applications on iOS devices. By hooking into Safari’s code, they forced the system to think that Lockdown Mode was always enabled, even when it wasn’t.
Researchers also showed how to activate Lockdown Mode in Settings and disable it without the user’s knowledge. They could view PDF files in Safari, which isn’t allowed when Lockdown Mode is truly enabled.
Lockdown Mode is a practical feature in certain situations, such as the BLASTPASS zero-click exploit identified in September 2023. However, this finding reveals that it isn’t foolproof, and it is possible to manipulate it to bypass security measures on compromised devices.
Apple addressed the vulnerability in iOS 17 by elevating Lockdown Mode to kernel level. Still, researchers are warning users to remain cautious and take steps to protect their devices. This includes using strong passwords and keeping devices updated with the latest security patches.