If you’ve ever wondered how secure Apple’s Lockdown Mode is, the Federal Bureau of Investigations (FBI) has the answer — and it’s good news for journalists, business leaders, civil leaders, or anyone who has to handle confidential data.

As part of an ongoing investigation about alleged leaks of classified information to the media, the FBI controversially raided the home of Washington Post reporter Hannah Natanson, seizing the journalist’s electronic devices, including an iPhone.

The iPhone was in Lockdown Mode at the time of the raid, so the FBI took the device to its Computer Analysis Response Team (CART), which attempted and failed to access the information it carried because the iPhone was in Lockdown mode. This is likely because the mode prevents wired connections between the iPhone and a computer or accessory when it is enabled, as US law enforcement seems to use a variety of peripherals to undermine security.

It is a great example of an Apple feature doing what it is intended to do. 

Massive attacks are taking place

“Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats,” Apple says.

We already know surveillance-as-a-service firms are targeting individuals that fit Natanson’s profile, just as they target business and political leaders, dissidents, celebrities and others. Only last December, Apple had to warn customers in 84 countries that they might have been targeted by such attacks. It has warned people in 150 nations to date.

If you imagine a police raid against a journalist outside the US, it becomes much easier to recognize the value Lockdown Mode provides. It means journalists and other high-value targets can more safely use locked-down devices for their work. 

The reporter could not prevent investigators from forcing her to unlock her Touch ID-enabled MacBook, as police can compel suspects to unlock biometrically protected devices. Natanson did not share the passcode to her non-biometric personal laptop, which remains a closed MacBook to authorities.

What Lockdown Mode is and how it works

Introduced in 2022, Lockdown Mode delivered a double whammy, massively increasing device security while also making complex attacks even more expensive to develop and make. Apple describes the protection as “sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.” 

Enabled in the Privacy & Security pane on Settings on iPhone, Lockdown Mode compromises what you can do with your iPhone in exchange for the protection it provides. 

When enabled, those compromises include:

• Most message attachment types other than images are blocked. 
• Link previews, are disabled.
• Biometric authorization no longer works.
• Certain complex web technologies, such as just-in-time (JIT) JavaScript compilation, are disabled.
• Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously contacted the other party.
• Wired connections with a computer or accessory are blocked.
• Configuration profiles cannot be installed.
• The device cannot enrol in mobile device management (MDM) systems.

Restrictions operate at the OS kernel and sandboxing level, making them extremely resilient to any attempted tampering. That resilience means Lockdown Mode protection is extremely difficult for attackers to overcome.

We don’t know where that resilience ends, we don’t know whether the FBI in this case has access to more powerful systems with which to attack Natanson’s phone. However, we do now know for certain that Lockdown Mode can deliver the degree of protection high-value targets may require. 

If nothing else, such protection might buy targets a little time when the state or other antagonists demand access to confidential sources. If you are a high-value target, it makes sense to ensure you enable this protection during high-risk activities such as when traveling, while involved in sensitive negotiations, or if you receive a threat notification. You should also use long and complex alphanumeric passwords.

Not for the everyone?

“While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are,” Ivan Krstić, Apple’s head of Security Engineering and Architecture, said when introducing the protection four years ago. 

It is, of course, widely recognized that Apple’s platforms are intrinsically secure. But Apple boosts this with additional optional security features, including Advanced Data Protection to encrypt device backups and Wallet Passes, and a feature called Inactivity Reboot; the latter makes devices reboot after being left inactive for some time, forcing a password to be used to unlock it again.

Apple also offers bounties to security researchers who can break Lockdown Mode and regularly updates security protection across all its platforms. 

The company clearly understands that in the online world, no one is safe until everyone is safe. That’s true despite ongoing tension between digital privacy and law enforcement, particularly in heavily surveilled regimes such as the UK.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.