Apple says no one using Lockdown Mode has been hacked with spyware

Nearly four years after introducing a security feature called Lockdown Mode, Apple says it has yet to see a case where someone’s device was hacked and these additional security features were unlocked.

“We are not aware of any successful spyware attacks with Apple Mode enabled by Lockdown,” Apple spokeswoman Sarah O’Rourke told TechCrunch on Friday.

It’s the latest confirmation by the tech giant that Apple devices with Lockdown Mode can withstand government spyware attacks, after making the claim for the first time a year after the security feature went live.

Apple in 2022 announced Lockdown Mode, a series of security breaches that turn off certain features on iPhones and other Apple devices that are often used to hack targets with spyware. Apple released this security mode specifically to help vulnerable customers protect themselves from threats posed by government espionage by companies such as Intellexa, NSO Group, and Paragon Solutions.

In recent years, Apple has acknowledged that its customers can be hacked by spyware and has been very active in informing targeted customers.

Apple has sent a number of notifications to users in more than 150 countries, informing them that they may have been hacked with spyware, which shows how much visibility the company now has in these types of attacks. Apple hasn’t said how many users they’ve notified, but it’s likely that there have been dozens, if not more.

Donncha Ó Cearbhaill, head of the security lab at Amnesty International, where he has investigated dozens of spyware attacks, said he and his colleagues “have never seen evidence that an iPhone has ever been successfully compromised by mercenary spyware when Lockdown Mode was enabled during an attack.”

Digital rights organizations such as Amnesty International and the University of Toronto’s Citizen Lab have documented several successful attacks on iPhone users, none of which have gotten past Lockdown Mode. In at least two cases, Citizen Lab researchers have publicly disclosed that they have seen Lockdown Mode block spyware attacks, one with NSO’s Pegasus, and the other with Predator spyware, which is now part of Intellexa.

In at least one documented case of a spyware attack targeting iPhones, security researchers at Google said the spy would bail by trying to infect the victim if it found Lockdown Mode, possibly as a way to avoid detection.

Patrick Wardle, an Apple cybersecurity expert and critic, says Lockdown Mode is a key feature that makes it more difficult for spyware makers to attack Apple users.

“I think it’s safe to say, Lockdown Mode is one of the hardest consumer-facing things ever shipped,” he told TechCrunch.

Wardle explained that by “shrinking the attack surface,” Lockdown Mode eliminates many of the techniques commonly used to exploit the iPhone, and forces spyware makers to use techniques that are more complex and expensive to develop.

“It kills all delivery methods/exploit classes,” he added, “as it prevents many types of message attachments, it limits WebKit features. This is really a huge reduction in the remote attack surface, especially with zero-click exploit chains,” referring to hacks that can target people over the Internet without any connection to the victim.

Lockdown Mode may have been bypassed, and neither Apple nor private investigators have caught this attack. But given that Apple is usually tight-lipped at the best of times, its latest statement marks a milestone for Lock Mode.

I’ve been using Lockdown Mode for years, and I don’t think much of it – unless the notifications pop up which can be confusing at times. Some disabled features require you to take an extra step, such as copying and pasting links from text messages into your browser. That’s why I, along with several digital security experts, recommend anyone worried about being targeted by a spy or a digital attack to turn on Lock Mode.