December 5, 2023 at 10:07AM
Malicious actors can deceive users into believing their iPhone is in Lockdown Mode when it’s not, allowing covert attacks. Jamf Threat Labs exposed a method where a compromised device can appear secure, yet malware persists and functions despite the security feature. Apple’s iOS 17 improvements may mitigate such issues.
Takeaways from Meeting:
1. A new post-exploitation tampering technique has been discovered that can trick iPhone users into believing their phones are in Lockdown Mode when they are not.
2. Jamf Threat Labs released a report indicating that hackers who have already compromised a device can bypass the activation of the actual Lockdown Mode.
3. The technique is a concern for devices that have been compromised previously through other vulnerabilities, which allow the execution of arbitrary code.
4. Apple’s Lockdown Mode was introduced in iOS 16 to protect high-risk individuals from sophisticated threats by reducing the attack surface, but it doesn’t prevent the execution of malware that’s already on the device.
5. The fake Lockdown Mode is achieved by manipulating certain functions to create a file and initiate a userspace reboot, which leaves the kernel untouched and does not eliminate malware without persistence mechanisms.
6. Malware can continue to operate and monitor activities on the device even after such a reboot.
7. The new exploit also allows the alteration of Lockdown Mode settings in Safari, sidestepping the block on PDF file viewing that is normally in place when Lockdown Mode is active.
8. Apple has taken steps to bolster the security of Lockdown Mode in iOS 17 by incorporating it at the kernel level, which generally resists manipulation without a full system reboot.
9. Jamf’s disclosure follows a previous revelation made by them about an exploit in iOS 16 related to Airplane Mode deception.
Recommendations for Follow-up:
– Strengthen awareness and training regarding security measures and potential bypass techniques.
– Encourage updating to the latest iOS version to take advantage of the enhanced security measures at the kernel level.
– Consider a technical review or advisory for users on how to verify if their Lockdown Mode is genuinely activated and not spoofed.
– Monitor further communications from Jamf and other security researchers for updates or additional security measures.
– Engage with IT security teams to discuss potential risks and responses related to the new tampering technique.
(Note: The above takeaways and recommendations are based on the provided meeting notes and are intended to summarize key points and suggest actions for consideration, consistent with the responsibilities of an executive assistant.)