Skip to content
guide for apple it: mercenary spyware and lockdown mode
Blog Recent News Guide for ...

Guide for Apple IT: Mercenary Spyware and Lockdown Mode

Kandji Team Kandji Team
13 min read

Although Apple designs security into its hardware, software, and services, Apple devices are not immune to malware and unwanted software installation. According to Malwarebytes’ 2022 Threat Review, the vast majority of malware detections on Apple platforms are—in most cases—fairly harmless; however, the growth of mercenary spyware places specific, targeted individuals within key industries at risk.

To counteract the risk from mercenary spyware, Apple released a new security protection mode named “Lockdown Mode” in September 2022 as part of the release of iOS 16 (it will be available for iPadOS 16 and macOS Ventura when Apple releases those in October 2022). This mode provides enhanced security for individuals at the tradeoff of removing or greatly stripping down many functionalities within the various Apple operating systems. 

IT and security teams should familiarize themselves with Lockdown Mode and the broader commercial and mercenary spyware threat. Understanding will help them field questions from employees about security best practices and whether or not they should enable this new feature.

What is Commercial Spyware? 

To understand mercenary spyware, we should first describe its place within the commercial spyware industry. Commercial spyware is sometimes called "stalkerware" or "surveillanceware". These umbrella terms refer to spyware applications that someone installs on someone else’s device, with or without the other person’s consent or knowledge, to track the activity of the person who uses the device. For example, a 2021 online poll by The Harris Poll on behalf of NortonLifeLock found that “Nearly one in 10 adults who have been in a romantic relationship used an app to monitor a romantic partner’s device activity.” Likewise, governments and law enforcement have argued that commercial spyware can have legitimate uses for tracking suspected terrorists and criminals.

Most commercial spyware operates like a remote access Trojan (RAT). While functionality differs between variants, commercial spyware typically allows for a range of functions, like:  

  • Viewing a target’s texts 
  • Tracking a target’s internet usage
  • Acting as a keylogger 
  • Stealing a target’s data 
  • Tracking a target’s location 

Stalkerware typically relies on a user — or someone with access to a user’s device — installing either a dedicated stalkerware app or an app masquerading as a common utility but containing stalkerware. Although stalkerware is particularly problematic on Android devices due to the more open nature of the Google Play Store, some bad actors have been able to evade Apple protections and get an app with stalkerware features into the App Store.

Understanding Mercenary Spyware

Mercenary spyware is a thornier and more advanced issue. It is technically advanced and highly targeted spyware. Unlike other forms of commercial spyware that individuals purchase and may be distributed via the App Store, either secretly or not, companies develop mercenary spyware specifically for sale to law enforcement and governmental organizations. 

While different variants of mercenary spyware have various functionalities and attack vectors, typically, they may: 

  • Be delivered via malicious links, man-in-the-middle attacks, physical access to a device, or through malicious attachments   
  • Exploit a chain of vulnerabilities, including potential zero-days, to infect a target device 
  • Leverage zero-click attacks, which do not require user interaction 
  • Attempt to remotely jailbreak a device to acquire persistence
  • Operate without a persistence mechanism to achieve high levels of stealth

The mercenary spyware industry is experiencing a boom. According to The New Yorker, the industry currently has an estimated 12 billion USD valuation. Israel-based NSO Group is perhaps the most infamous mercenary spyware company. According to NSO Group, it designed its Pegasus malware to track criminals and terrorists. However, an investigation by The Guardian and 16 other media organizations into an NSO Group data leak found over 50,000 phone numbers that they identified as people of interest by NSO clients. Among these phone numbers were numbers belonging to prominent journalists, activists, and politicians.  

Several other state-sponsored mercenary spyware organizations exist beyond NSO Group, and as the mercenary spyware industry grows, other state-funded companies will likely emerge. Russian and Chinese companies, for instance, are also starting to develop and sell mercenary spyware. 

Regardless of the variant of mercenary spyware or its developer, Apple intends for Lockdown Mode to be able to mitigate the majority of these threats. 

What is Lockdown Mode? 

Lockdown Mode is an enhanced, fully-optional level of additional protection that users, who are high-risk targets of mercenary spyware, can toggle on and off on their devices. Enabling and disabling Lockdown Mode requires physical access to the device and a restart before taking effect. Apple intends the mode to further harden iPhone devices, iPad devices, and Mac computers by limiting their overall attack surfaces.

What protections does Lockdown Mode provide? 

Apple released a complete list of protections Lockdown Mode provides for a device. In exchange for these protections, a user loses certain device functionalities. Users must enable Lockdown Mode in person. After agreeing to disclaimers about the loss of certain functions in exchange for activating Lockdown Mode, the device restarts with the mode enabled. 

Following the device restart, Lockdown Mode puts in place five principal lines of protection: 

  • Incoming messages in the Messages app: Besides specific images, video, and audio, Lockdown Mode blocks most message attachment types. Some other message features are also disabled, such as link previews. An iPhone in Lockdown Mode can send messages with #images (trending GIFs that animate only in the Messages app on Apple devices) and Message Effects (such as Love, Balloons, Invisible Ink, Confetti). However, you won’t see the Message Effects when someone else sends them to you (GIFs show up as a static image instead of an animation). Apple intends these measures to prevent malware installation and attackers potentially obtaining a user’s IP address. What about apps other than Messages? It’s up to the developer. For example, on iOS, Messenger from Meta doesn’t display a preview of a URL but receiving GIFs, stickers, and sounds are allowed when Lockdown mode is enabled.
  • Web browsing: Lockdown Mode prevents Safari from using certain web technologies like just-in-time JavaScript compilation and WebAssembly on websites. It also prevents downloading of custom font files and displaying certain image types. However, users can set sites as “trusted,” which allows the browser to bypass Lockdown Mode’s enhanced security restrictions for that site. On iOS, Safari, and third-party browsers are affected by Lockdown mode because they use WebKit, but but third-party macOS browsers aren’t required to use WebKit, so they aren’t all affected. 
  • Apple Services: Some incoming Apple service invitations are blocked, such as Shared Album invitations in Photos, invitations to manage a home in the Home app, and FaceTime calls from contacts the user has not previously initiated a call or request with. Any existing Photos shared albums are removed. These measures prevent zero-click attacks from exploiting potential vulnerabilities in these services. 
  • Physical connections: Lockdown Mode blocks a locked device from connecting to anything physically plugged into it, i.e., over USB, without the user unlocking the device. This restriction should prevent attackers from exploiting physical access to a device to install malware when a user is not present. 
  • Configuration files and mobile device management (MDM): Lockdown Mode prevents devices from installing any new configuration profiles or enrolling in a new MDM solution. This function prevents attackers from being able to control a device or exfiltrate user data remotely. 

Apple plans to continue to hone and develop Lockdown Mode going forward. As they are released, these refinements will likely result in additional tradeoffs between functionality and security based on the mercenary spyware threat landscape and shifts in leveraged attack vectors. 

Who should use Lockdown Mode?             

Lockdown Mode is likely unnecessary and cumbersome for typical users, negatively impacting the user experience and device functionality. Apple says Lockdown Mode is intended only for a small number of users worldwide who face targeted, state-sponsored attacks. For individuals potentially facing such threats, the additional security offered by Lockdown Mode may be worth the tradeoff of decreased functionality. 

Lockdown Mode is likely to be most beneficial for activists operating within authoritarian states or lobbying against such states abroad, investigative journalists, politicians, and human rights lawyers. Due to the highly targeted nature of mercenary spyware attacks, there is little value in an average user employing this feature or a company mandating employees use it unless they work in a targeted field or are a known target of such operations. 

An additional Lockdown Mode use case could be for professionals traveling abroad to a country that may be unsafe or poses a heightened risk of espionage. In such cases, security best practices are for a team member to use a dedicated device intended solely for in-country use, then destroyed after the trip (also called a burner device). For additional security, professionals can employ Lockdown Mode on a burner device to help mitigate attacks. 

Lockdown Mode and MDM Solutions 

A potential drawback of using Lockdown Mode in an enterprise setting is that devices can no longer enroll in a new MDM solution after activating Lockdown Mode. However, if a device was previously enrolled in an MDM solution, the MDM solution can continue to interact with the device after a user enables Lockdown Mode. In fact, the MDM framework doesn’t contain any mechanism to inform an MDM solution whether the device is using Lockdown Mode. And to be clear, you can’t use an MDM solution to turn on or off Lockdown Mode; only the device user can activate or disable Lockdown Mode–in person, on the device.

Additional Security Mitigations 

Due to the highly technical and specialized threats underpinning the development of mercenary spyware, such as exploit chains and zero-day vulnerabilities, no single mitigating strategy is foolproof. Any additional mitigations instead focus on reducing the potential attack surface and interfering with persistence, rather than completely blocking all possibility of attack. With that in mind, there are some additional mitigating strategies and general security best practices security teams should advise potential targets to employ. 

You can implement some mitigations if your MDM solution supports them, but other mitigations are up to the user to implement after education and awareness. Potential mitigations include the following:

  • Disable iMessage and FaceTime, which have been sources of zero-click attacks. 
  • Reboot devices on a regular, daily schedule to disrupt potential persistence mechanisms.
  • Do not open links or download attachments, especially if they come from unknown contacts. For attachments that come from known contacts, recipients should verify the document is actually from them using an alternate mode of communication. 
  • Disable Airdrop or restrict the service to Contacts Only to prevent anyone in range from being able to attempt to send files to a device. 
  • Disable Bluetooth when not in use. This has the dual benefit of mitigating a potential connection vector and preventing a device from potentially revealing personally identifiable information if the device is named after the user. 
  • Disable Wi-Fi when not needed, and change the default setting to “Ask” when joining known networks or hotspots. Also, confirm that any network is actually yours before joining, like a wireless network with the same name as your home network appearing while you are at an airport. This new network should be treated with suspicion and not joined. 
  • Avoid using any public or untrusted Wi-Fi network. If you must use an untrusted or public network, be sure to use a reputable VPN during the entire time. For additional security, use a privacy-focused browser such as Tor. 
  • Apply security updates as soon as they are released. 

While Lockdown Mode might only benefit a small, specific group of users, everyone can benefit from additional vigilance and observing security best practices to avoid being the victim of an attack.