One of the new features coming with iOS 16 and iPadOS 16.1 is an extreme security setting called Lockdown Mode. This new feature increases the security of the iPhone. However, it may also render users who turn on the mode easily identifiable by websites.
Lockdown Mode Poses Privacy Risk
John Ozbay, CEO of privacy-focused firm Cryptee, told Motherboard that when users turn on Lockdown Mode, they will be easy to fingerprint and identify. Ozbay and his team created a proof of concept website that detects whether a user has Lockdown Mode active or not. With fingerprinting, websites or online ads can detect whether some standard features are missing on a device.
Once users enable Lockdown Mode, any website they visit could be able to detect that they may be using Lockdown Mode. The websites will associate the user’s IP address with Lockdown Mode. Hence, while Lockdown Mode adds security to the iPhone, it also poses a privacy threat to the user.
Apple Hopes to Protect High-Risk Individuals
As mentioned, Lockdown Mode will be available once Apple releases iOS 16 and iPadOS 16.1. The new security feature is meant for high-risk iPhone users such as journalists, politicians and human rights defenders, among others. Sophisticated hackers often target these people. Lockdown Mode works by disabling some regular iPhone features that have been exploited by hackers in the past.
For those who are worried about the privacy risk of Lockdown Mode, well, it’s a good thing Apple disables the feature by default. Users may opt to enable or disable it once the new OS is installed on their device.
Ozbay reached out to an Apple employee on Twitter to air the issue he found. He cited one feature that Lockdown Mode disables, loading custom fonts. According to him, this is one of the easiest things to detect and exploit. In response, the Apple employee told him that web fonts are disabled intentionally to “remove font parsing from available web attack surfaces,” and that “watering hole attacks are part of our threat model, so I’m not sure it would make sense to have web font exceptions per site.”
The Need to Change Lockdown Mode’s Fundamentals
So, there’s nothing Apple can do right now unless it decides to change how Lockdown Mode works. But we seriously doubt Apple will be able to do that at this time.
Ryan Stortz, an independent security researcher who has studied iOS e hopes that if enough people turn on Lockdown Mode, everyone will blend in. This would make it harder to identify interesting targets to attack.
Obviously you have to opt into Lockdown Mode and are sorta signaling that you think your potential of interest to a nation state attacker but Apple also made it painfully easy to turn on. So ideally you’d be lost in the crowd of people who are more privacy conscious without the targeted spying concerns.