A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks.
The novel method, detailed by Jamf Threat Labs in a report shared with The Hacker News, "shows that if a hacker has already infiltrated your device, they can cause Lockdown Mode to be 'bypassed' when you trigger its activation."
In other words, the goal is to implement Fake Lockdown Mode on a device that's compromised by an attacker through other means, such as unpatched security flaws that can trigger execution of arbitrary code.
Lockdown Mode, introduced by Apple last year with iOS 16, is an enhanced security measure that aims to safeguard high-risk individuals from sophisticated digital threats such as mercenary spyware by minimizing the attack surface.
What it doesn't do is prevent the execution of malicious payloads on a compromised device, thereby allowing a trojan deployed on it to manipulate Lockdown Mode and give users an illusion of security.
"In the case of an infected phone, there are no safeguards in place to stop the malware from running in the background, whether the user activates Lockdown Mode or not," security researchers Hu Ke and Nir Avraham said.
The fake Lockdown Mode is accomplished by hooking functions that are triggered upon activating the setting – e.g., setLockdownModeGloballyEnabled, lockdownModeEnabled, and isLockdownModeEnabledForSafari – so as to create a file called "/fakelockdownmode_on" and initiate a userspace reboot, which terminates all processes and restarts the system without touching the kernel.
This also means that a piece of malware implanted on the device sans any persistence mechanism will continue to exist even after a reboot of this kind and surreptitiously spy on its users.
"By tricking the user into believing that their device is operating normally and that additional security features can be activated, the user is far less likely to suspect any malicious activity is taking place behind the scenes," Michael Covington, vice president of portfolio strategy at Jamf, told The Hacker News.
"We did not expect that such a widely publicized security feature would have the user interface separated from the implementation reality."
What's more, an adversary could alter the Lockdown Mode on the Safari web browser to make it possible to view PDF files, which are otherwise blocked when the setting is turned on.
"Since iOS 17, Apple has elevated Lockdown Mode to kernel level," the researchers said. "This strategic move is a great step in enhancing security, as changes made by Lockdown Mode in the kernel typically cannot be undone without undergoing a system reboot, thanks to existing security mitigations."
The disclosure from Jamf arrives nearly four months after it demonstrated another novel method on iOS 16 that could be abused to fly under the radar and maintain access to an Apple device by tricking the victim into thinking their device's Airplane Mode is enabled.
"Jamf's research on Fake Airplane Mode and Fake Lockdown Mode has explored how interfaces convey trust and provide users with assurances that a device is secure," Covington said. "Our findings show that user interfaces can be easily tampered with."
"Whether it's a phishing attack delivered over HTTPS to trick the user into thinking a site is 'secure' or malware that tricks the user into thinking safety features like Airplane Mode or Lockdown Mode are active, it's clear the threat landscape is shifting. We view these developments to be an evolution of social engineering techniques and expect to see them used more actively in the future."
