The new feature was designed to protect particularly vulnerable users - for example, activists and journalists in the crosshairs of dictatorships - by shutting off or otherwise significantly reducing features of the device that hackers love best.
In practice this mode turns on a small number of identifiable functions, only some of which are newly protected within the device's kernel.
As a result, on Dec. 5, analysts from Jamf Threat Labs were able to demonstrate how to subvert Lockdown Mode, delivering a like-for-like user experience while still allowing cyberattacks to persist underneath the surface.
Instead, it's designed to massively reduce the available surface within which attackers can gain an initial foothold into the device.
It does this by, for example, removing support for file formats popular in cyberattacks, disabling certain convenience features - like the preview window associated with links shared in iMessage - and restricting Web browsing with captive portals.
If an attacker has already compromised a device, Apple's lockdown mode won't boot them out.
It can make persistence more difficult which is where the Jamf proof-of-concept comes in.
By identifying and manipulating just a few bits of code responsible for triggering and maintaining lockdown mode, the Jamf researchers were able to disable it, while simultaneously presenting the user with visual cues mimicking all of lockdown mode's typical identifying traits.
They replaced the method responsible for executing Lockdown with a file - '/fakelockdownmode on' - which triggered a restart in the user space.
They mimicked lockdown in Safari by hooking the function responsible for turning on the captive portal Web engine, and hooking the function responsible for displaying the status of lockdown mode in the first place.
These tricks are more difficult to pull off as of iOS 17, when Apple elevated lockdown mode to the kernel.
An Industry-Wide Security Blind Spot Few people will find themselves needing to use lockdown mode.
The point of the story really has little to do with this particular exploit, or even the entire subject of lockdown mode.
The result is that some areas of security get loads of attention, where other potentially crucial areas fall through the cracks.
Covington recommends keeping a keen eye out during performance issues, or whenever a UI element seems out of place.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 05 Dec 2023 22:50:32 +0000