According to Tech Radar, threat actors can now implement a fake lockdown mode for iPhone users, allowing them to run malware behind a facade that the device is under a protective state, citing a report from 'Jamf Threat Labs' as source.
The report states that if an iPhone device has already been compromised with malware, initiating iOS' lockdown mode will not be able to do much. The cited researchers note that threat actors have the ability to activate this fake lockdown mode and run malware behind the illusion, even when users attempt to activate, and are then led to believe they have activated, the security feature.
(Photo : CHRIS DELMAS/AFP via Getty Images)
Law enforcement agencies have been using Cellebrite's phone hacking technology to access locked devices.
Michael Covington, vice president of portfolio strategy at Jamf, reportedly told the Hacker News that the hacking scheme leads the user to believe that their iPhone is functioning properly and that the user may activate extra security protections thus making it far less likely for them to discover criminal behavior is occurring behind the scenes.
The researchers claim on their report that the fake lockdown mode is a "post-exploitation tampering technique," that displays all of the visual signals associated with a functional lockdown mode for an iPhone, but without any of the safeguards that the service would typically employ. This implies that a malicious program installed on an iPhone without a persistence mechanism will remain even after a reboot and continuously secretly monitor its users.
Read Also: Apple MLX: New AI Framework, Model Released as Open Source, Meant to Run on M-Series, Silicon Chips
Apple's Lockdown Mode's Effectiveness
The report noted however, that the new hacking scheme is a post-exploitation tampering approach that is not necessarily a vulnerability in iOS or a fault in Lockdown Mode. The researchers maintained that iPhone's lockdown mode is a useful feature, such as when the security feature effectively blocked BLASTPASS, a series of attacks used to distribute the Pegasus virus, as uncovered by CitizenLab in September of this year.
Apple first added lockdown mode with iOS 16 back in September 2022, an improved security feature that reduces the attack surface to protect high-risk users from sophisticated cyber threats like mercenary malware.
The feature has since then been improved by Apple in iOS 17, increasing it to "kernel level," a move lauded by the researchers as it proves to be a great move that will significantly improve security since modifications performed by lockdown mode in the kernel are usually irreversible and necessitate a system reboot.
Apple's Cyber Security Efforts
The feature was reportedly a measure aimed to stop or lessen the rise in international campaigns of cyberattacks, the research notes that Apple has been working hard in recent years to improve its security architecture.
Apple's efforts however, remains to be improved, Pegasus, one of the most notorious spyware companies, notably have the ability to infect the newest iPhone with a zero-click assault, requiring no user input.
Pegasus operators have reportedly shown to be exceptionally adept at finding new vulnerabilities to carry out cyberattacks, making users concerned about the scenario, eventually leading to the creation of lockdown mode as a way to both reassure iPhone users and counteract the rising practice.
What the feature does not do however, is stop malicious payloads from being executed on a compromised device, which leaves room for a trojan to be installed on it to manipulate lockdown mode and trick users into thinking they are safe.
Fortunately however, this newly-discovered hacking approach reportedly has yet to be seen in the wild.
Related Article: Beware Apple Users! Newly Discovered Flaw Being Used to Infect Devices With NSO Group's Pegasus Spyware
