This study examines a situation in which a vulnerable device is compromised by an attacker who seeds the code to implement Fake Lockdown Mode. When a high-risk user, such as journalists, government officials, or executives, of the compromised device activates Lockdown Mode, they activate the attacker’s code that visually activates Lockdown Mode but doesn’t actually change the device’s setup. Apple’s Lockdown mode in iOS 16 is a useful feature for specific circumstances but won’t protect you if your phone has already been compromised. This article explores our research on the effectiveness of Fake Lockdown Mode. If a hacker has infiltrated your device, they can bypass Lockdown Mode when you trigger its activation. Lockdown Mode was introduced by Apple in September 2022 in response to the increase in global cyber attack campaigns. The years 2021 and 2022 saw the largest number of in-the-wild zero-day attacks detected, according to Google’s Threat Analysis Group. Pegasus, a well-known spyware, can infect the latest iPhone without requiring user interaction, known as a zero-click attack. Despite Apple’s efforts to improve security, Pegasus operators have shown an impressive ability to find new vulnerabilities and execute zero-click attacks. This scenario raised concerns among users, leading to the creation of Lockdown Mode as a solution. Lockdown Mode works by reducing the functionality remotely accessible to potential attackers, which minimizes the code exposed to exploit vulnerabilities. If Lockdown Mode is enabled, your device will not function as it typically does. It restricts some apps, websites, and features and is available in iOS 16 and later, iPadOS 16 and later, watchOS 10 and later, and macOS Ventura or later. Although Lockdown Mode was found effective in September 2023 to block a particular attack, it is not effective if an attack has already been initiated on the device. In the rest of this article, we will show how, in the scenario of an iPhone that has already been infected, Lockdown Mode might be manipulated, potentially creating a false sense of security. Overall, users should be aware that Lockdown Mode’s main purpose is to reduce potential attack vectors. However, we have shown that it may not stop an attack that has already been initiated on an infected device. In reviewing how Lockdown Mode functions, code implementation related to Lockdown Mode has been found to exist within the iOS 16 kernel. A full reboot of the device is not needed for activating or deactivating Lockdown Mode at this stage. Since iOS 17, Apple has elevated Lockdown Mode to kernel level, meaning that a system reboot is required for activation or deactivation. The focus regarding manipulating Lockdown Mode is to render it ineffective and replace a system reboot with a user space reboot, showcasing how malware could deceive the user. At the end, keep in mind that an infected device do not have safeguards to prevent malware from running in the background, whether the user activates Lockdown Mode or not. When a user turns on Lockdown Mode, it will disable certain features and trigger a device reboot.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles