Image: Urupong/Getty Images
Once Apple launches the new iPhone and iPad operating system early next month, users will be able to turn on a new privacy mode that the company calls “extreme.” It’s made for journalists, activists, politicians, human rights defenders, and anyone else who may be worried about getting targeted by sophisticated hackers, perhaps working for governments armed with spyware made by companies such as NSO Group. Apple calls it “Lockdown Mode” and it works by disabling some regular iPhone features that have been exploited to hack users in the past.
But if users turn on Lockdown Mode, they will be easy to fingerprint and identify, according to a developer who created a proof of concept website that detects whether you have Lockdown Mode enabled or not. In other words, Lockdown Mode users will be easy to detect and they will stand out because Lockdown Mode will presumably be relatively uncommon.
John Ozbay, the CEO of privacy focused company Cryptee, and a privacy activist, told Motherboard that any website or online ad can detect whether some regular features are missing, such as loading custom fonts, one of the features that Lockdown Mode disables.
“Let’s say you’re in China, and you’re using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode,” Ozbay said in a call. “It’s a tradeoff between security and privacy. [Apple] chose security.”
Do you, or did you used to, work at Apple? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]
Ozbay said that there are several features that Lockdown Mode disables, and that websites could detect, but the lack of loading custom fonts is “the easiest thing to detect and exploit.”
“It took us five minutes to put the code together and see if this was working,” he said.
This issue, which is technically not a bug but just a specific drawback of how Lockdown Mode is designed, could paint a massive target on the back of users who are likely Apple’s most vulnerable users. There unfortunately may be no way around it.
“As for fingerprinting, it’s sadly a trade off we always have to deal with. The same is true of Tor and the Tor Browser—they go to huge lengths to reduce any fingerprinting ability but you end up standing out because you’re the one with less traceable fingerprints,” Ryan Stortz, an independent security researcher who has studied iOS, told Motherboard.
Ozbay created a proof-of-concept website that detects whether the visitor is using Lockdown Mode. Motherboard verified it works by visiting the website with an iPhone without Lockdown Mode enabled, and asking Stortz, who has Lockdown Mode enabled, to visit the site.
Ozbay reached out to an Apple employee on Twitter and had a conversation with him about the issues he found. The employee, according to screenshots of their chat, told him that “web fonts are disabled intentionally to remove font parsing from available web attack surface,” and that “watering hole attacks are part of our threat model, so I’m not sure it would make sense to have web font exceptions per site.” (Watering hole attacks are exploits where hackers lure a victim to a known website where they injected malware, or a copycat of a known website that serves malware.)
In other words, there’s nothing Apple can do right now to mitigate this issue without fundamentally changing how Lockdown Mode works.
Apple did not respond to a request for comment.
Even if Apple doesn’t make any changes, Stortz hopes that if enough people turn on Lockdown Mode, everyone will blend in and it will be harder to be identified as an interesting target.
“Obviously you have to opt into Lockdown Mode and are sorta signaling that you think you’re potentially of interest to a nation state attacker but Apple also made it painfully easy to turn on,” he said. “So ideally you’d be lost in the crowd of people who are more privacy conscious without the targeted spying concerns.”
UPDATE, Friday Aug. 26, 11:24 a.m. ET: This story has been updated to clarify that Lockdown Mode users will be easy to detect and they will stand out, but will not necessarily be easy to fingerprint individually.
Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.