Apple launching Lockdown Mode with iOS 16 to guard against Pegasus-style spyware

A blue model of the iPhone 12 Pro
(Image credit: Shutterstock)

Apple has teased an upcoming security initiative for iPhone, iPad, and Mac users who believe they may be targeted of state-sponsored spyware campaigns in the mould of Pegasus, Predator, and Hermit.

Lockdown Mode, which is coming to iOS 16, iPad OS 16 and macOS Ventura in autumn, will implement stricter security measures on Apple devices to combat the exfiltration or monitoring of sensitive data flowing in and out of Apple hardware.

The feature will offer “extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.

Embattled Israeli outfit NSO Group’s Pegasus spyware is perhaps the most infamous programme of this kind, having been found on the devices of numerous high-profile individuals over the past several years, including murdered Saudi journalist Jamal Khashoggi.

Despite being discovered years ago, and with Apple releasing security patches to prevent it infecting devices, Pegasus continues to infect individuals’ devices today.

Reports from this year have indicated government officials in both the UK and El Salvador have been targeted, years after the first known Pegasus case was reported.

“While the vast majority of users will never be the victims of highly targeted cyberattacks, Apple will work tirelessly to protect the small number of users who are,” said Ivan Krstić, head of security engineering and architecture at Apple on Twitter. “I’m deeply proud of our next steps, including a groundbreaking feature: Lockdown Mode.”

Technical implementations

Apple calls Lockdown Mode a ‘first of its kind feature’ that'll offer a swathe of technical features to keep the digital lives of targeted individuals safe from state-sponsored spyware.

For messaging, Lockdown Mode will block most major attachment types, other than images, and block other features like link previews.

While Apple didn’t explicitly state the reason for this, the measure could have been implemented in relation to Pegasus previously being installed by exploiting a no-click vulnerability in Apple’s iMessage.

A number of “complex web technologies” involved in on-device web browsing will also be blocked, Apple said. Things like just-in-time (JIT) JavaScript compilation - a method of compiling code to make both execution and the overall experience faster - will be disabled unless a user whitelists a given website in Lockdown Mode’s settings, for example.

Incoming invitations and service requests such as FaceTime calls will be blocked for users who have never interacted with the initiator before, and wired connections to other computers or accessories will also be blocked when an iPhone is locked, Apple said.

Lastly, configuration profiles will not be able to be installed, nor can devices be enrolled into mobile device management (MDM) programmes - combatting a method of spyware installation exploited by Hermit. However, Krstić confirmed pre-existing MDM enrollment is preserved after enabling Lockdown Mode.

Apple said it will continue to add additional features to Lockdown Mode over time and as user feedback is received.

It has also added a special category to its pre-existing bug bounty programme for Lockdown Mode bypasses, offering what it calls the largest potential payout for any bug bounty in the industry $2 million (£1.67 million) as a reward for the most severe submissions.

$10 million fund

In addition to the launch of Lockdown Mode, Apple said it will be setting up a $10 million grant, plus any additional funds generated from the damages it receives in its ongoing lawsuit against Pegasus creators NSO Group, to support organisations fighting highly targeted cyber attacks.

Such organisations could include those making efforts to quell state-sponsored spyware attacks, or those tasked with investigating and exposing the operators behind them - and other types of targeted attacks on digital security.


Securing endpoints amid new threats

Ensuring employees have the flexibility and security to work remotely


The grant will be made available to the Dignity and Justice Fund which expects to issue the first round of grants in late 2022 or early 2023.

“There is now undeniable evidence from the research of the Citizen Lab and other organisations that the mercenary surveillance industry is facilitating the spread of authoritarian practices and massive human rights abuses worldwide,” said Ron Deibert, director at Citizen Lab, a research group at the University of Toronto long-famed for its investigations into state-sponsored spyware.

“I applaud Apple for establishing this important grant, which will send a strong message and help nurture independent researchers and advocacy organisations holding mercenary spyware vendors accountable for the harms they are inflicting on innocent people.”

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.