Although Apple designs security into its hardware, software, and services, Apple devices are not immune to malware and unwanted software installation. According to Malwarebytes’ 2022 Threat Review, the vast majority of malware detections on Apple platforms are—in most cases—fairly harmless; however, the growth of mercenary spyware places specific, targeted individuals within key industries at risk.
To counteract the risk from mercenary spyware, Apple released a new security protection mode named “Lockdown Mode” in September 2022 as part of the release of iOS 16 (it will be available for iPadOS 16 and macOS Ventura when Apple releases those in October 2022). This mode provides enhanced security for individuals at the tradeoff of removing or greatly stripping down many functionalities within the various Apple operating systems.
IT and security teams should familiarize themselves with Lockdown Mode and the broader commercial and mercenary spyware threat. Understanding will help them field questions from employees about security best practices and whether or not they should enable this new feature.
To understand mercenary spyware, we should first describe its place within the commercial spyware industry. Commercial spyware is sometimes called "stalkerware" or "surveillanceware". These umbrella terms refer to spyware applications that someone installs on someone else’s device, with or without the other person’s consent or knowledge, to track the activity of the person who uses the device. For example, a 2021 online poll by The Harris Poll on behalf of NortonLifeLock found that “Nearly one in 10 adults who have been in a romantic relationship used an app to monitor a romantic partner’s device activity.” Likewise, governments and law enforcement have argued that commercial spyware can have legitimate uses for tracking suspected terrorists and criminals.
Most commercial spyware operates like a remote access Trojan (RAT). While functionality differs between variants, commercial spyware typically allows for a range of functions, like:
Stalkerware typically relies on a user — or someone with access to a user’s device — installing either a dedicated stalkerware app or an app masquerading as a common utility but containing stalkerware. Although stalkerware is particularly problematic on Android devices due to the more open nature of the Google Play Store, some bad actors have been able to evade Apple protections and get an app with stalkerware features into the App Store.
Mercenary spyware is a thornier and more advanced issue. It is technically advanced and highly targeted spyware. Unlike other forms of commercial spyware that individuals purchase and may be distributed via the App Store, either secretly or not, companies develop mercenary spyware specifically for sale to law enforcement and governmental organizations.
While different variants of mercenary spyware have various functionalities and attack vectors, typically, they may:
The mercenary spyware industry is experiencing a boom. According to The New Yorker, the industry currently has an estimated 12 billion USD valuation. Israel-based NSO Group is perhaps the most infamous mercenary spyware company. According to NSO Group, it designed its Pegasus malware to track criminals and terrorists. However, an investigation by The Guardian and 16 other media organizations into an NSO Group data leak found over 50,000 phone numbers that they identified as people of interest by NSO clients. Among these phone numbers were numbers belonging to prominent journalists, activists, and politicians.
Several other state-sponsored mercenary spyware organizations exist beyond NSO Group, and as the mercenary spyware industry grows, other state-funded companies will likely emerge. Russian and Chinese companies, for instance, are also starting to develop and sell mercenary spyware.
Regardless of the variant of mercenary spyware or its developer, Apple intends for Lockdown Mode to be able to mitigate the majority of these threats.
Lockdown Mode is an enhanced, fully-optional level of additional protection that users, who are high-risk targets of mercenary spyware, can toggle on and off on their devices. Enabling and disabling Lockdown Mode requires physical access to the device and a restart before taking effect. Apple intends the mode to further harden iPhone devices, iPad devices, and Mac computers by limiting their overall attack surfaces.
Apple released a complete list of protections Lockdown Mode provides for a device. In exchange for these protections, a user loses certain device functionalities. Users must enable Lockdown Mode in person. After agreeing to disclaimers about the loss of certain functions in exchange for activating Lockdown Mode, the device restarts with the mode enabled.
Following the device restart, Lockdown Mode puts in place five principal lines of protection:
Apple plans to continue to hone and develop Lockdown Mode going forward. As they are released, these refinements will likely result in additional tradeoffs between functionality and security based on the mercenary spyware threat landscape and shifts in leveraged attack vectors.
Lockdown Mode is likely unnecessary and cumbersome for typical users, negatively impacting the user experience and device functionality. Apple says Lockdown Mode is intended only for a small number of users worldwide who face targeted, state-sponsored attacks. For individuals potentially facing such threats, the additional security offered by Lockdown Mode may be worth the tradeoff of decreased functionality.
Lockdown Mode is likely to be most beneficial for activists operating within authoritarian states or lobbying against such states abroad, investigative journalists, politicians, and human rights lawyers. Due to the highly targeted nature of mercenary spyware attacks, there is little value in an average user employing this feature or a company mandating employees use it unless they work in a targeted field or are a known target of such operations.
An additional Lockdown Mode use case could be for professionals traveling abroad to a country that may be unsafe or poses a heightened risk of espionage. In such cases, security best practices are for a team member to use a dedicated device intended solely for in-country use, then destroyed after the trip (also called a burner device). For additional security, professionals can employ Lockdown Mode on a burner device to help mitigate attacks.
A potential drawback of using Lockdown Mode in an enterprise setting is that devices can no longer enroll in a new MDM solution after activating Lockdown Mode. However, if a device was previously enrolled in an MDM solution, the MDM solution can continue to interact with the device after a user enables Lockdown Mode. In fact, the MDM framework doesn’t contain any mechanism to inform an MDM solution whether the device is using Lockdown Mode. And to be clear, you can’t use an MDM solution to turn on or off Lockdown Mode; only the device user can activate or disable Lockdown Mode–in person, on the device.
Due to the highly technical and specialized threats underpinning the development of mercenary spyware, such as exploit chains and zero-day vulnerabilities, no single mitigating strategy is foolproof. Any additional mitigations instead focus on reducing the potential attack surface and interfering with persistence, rather than completely blocking all possibility of attack. With that in mind, there are some additional mitigating strategies and general security best practices security teams should advise potential targets to employ.
You can implement some mitigations if your MDM solution supports them, but other mitigations are up to the user to implement after education and awareness. Potential mitigations include the following:
While Lockdown Mode might only benefit a small, specific group of users, everyone can benefit from additional vigilance and observing security best practices to avoid being the victim of an attack.