iPhone’s Lockdown Mode Stops Spyware From NSO Group

Recently, Citizen Lab, a watchdog group that has been keeping track of NSO Group’s attempts to deliver spyware to human rights activists in Mexico, discovered that Apple’s Lockdown Mode has successfully thwarted the hacking attempts of the notorious commercial spyware vendor. NSO Group had deployed a new iOS exploit named “PwnYourHome” last year, which could secretly infiltrate a user’s iMessages app and tamper with the HomeKit software.

However, Citizen Lab noticed that the attack was blocked on iPhones that had activated the Lockdown Mode, which was introduced in September 2022 through iOS 16. This means that users who had enabled Lockdown Mode received real-time warnings when the PwnYourHome exploitation was attempted against their devices. Citizen Lab’s report also noted that NSO Group had begun delivering the exploit in October, after which Lockdown Mode was able to detect and block the PwnYourHome exploit by flagging its attempts to access the iPhone’s HomeKit software.

Apple’s Lockdown Mode was designed to restrict various processes on an iPhone, which can disable certain features, but also prevent hacking attempts from secretly tampering with the OS. This is particularly important for government officials and human rights activists who are often the targets of professional spyware vendors. Citizen Lab’s findings are, therefore, good news as Lockdown Mode has successfully blocked NSO Group’s PwnYourHome exploit.

“Given that we have seen no indications that NSO has stopped deploying PwnYourHome, this suggests that NSO may have figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode,” Citizen Lab added.

However, Citizen Lab also cautioned that this could mean NSO Group has created a workaround to bypass Lockdown Mode. The spyware vendor’s products are adept at deleting any traces of themselves from infected iPhones, and given that there have been no recent notifications on Lockdown Mode, nor any evidence of successful PwnYourHome compromise on Lockdown Mode, it is possible that NSO has figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode.

Citizen Lab has provided Apple with forensic evidence from its investigations in October and January, so Cupertino is likely to have already developed new security measures to bolster Lockdown Mode. It is also worth noting that NSO Group and Apple have not yet responded to Citizen Lab’s report. Overall, while Lockdown Mode has proven effective in thwarting NSO Group’s latest exploit, the spyware vendor’s ability to create new workarounds means that vigilance and constant updates to security measures are necessary to protect users from such threats.