Do you think your iPhone is protected? Don't blindly believe what you see.
Experts from Jamf Threat Labs warned of a new threat to iPhone users associated with the use of "post-operational intervention techniques". This method allows attackers to visually deceive the user, making him believe that his iPhone is in lock mode, when in fact it is not at all, and thus conduct covert attacks.
In their report, experts described how when a device is already hacked, fraudsters can simulate the activation of the lock mode, which makes it possible to secretly control the device, using, for example, uncorrected security vulnerabilities.
Lockdown Mode, introduced by Apple last year in iOS 16, is an enhanced security measure to protect against sophisticated digital threats such as advanced spyware. The official website describes the feature as providing "ultra-reliable protection", but in practice it does not prevent malicious programs from running on a compromised device, but only minimizes the attack surface.
According to security researchers Hu Ke and Nir Avraham, the malware installed on the device can continue to run in the background, regardless of the activation of the lock mode.
An attack using a fake lock mode is achieved by intercepting functions that are activated when this mode is enabled. This creates the file "/fakelockdownmode_on" and initiates a reboot that does not affect the system kernel. This means that malicious software remains on the device even after such a reboot.
Michael Covington of Jamf, noted that tricking users into thinking that their device is working properly and additional security features are activated significantly reduces the likelihood of suspicion of a hidden threat.
It should be noted that with iOS 17, Apple moved the lock mode to the kernel level, which significantly increases security. Changes made to lock mode at the kernel level usually cannot be undone without a system reboot.
This discovery by Jamf experts follows the August one when the company demonstrated a different method on iOS 16 that allows you to secretly save access to an Apple device, deceiving the victim and making her think that airplane mode is enabled on the smartphone.
Covington emphasized that Jamf's research has shown how user interfaces can be easily manipulated. The ability to deceive users by imitating a particular system mode is a clear shift in cybersecurity threats. It is expected that such methods will be increasingly used in the future.
Experts from Jamf Threat Labs warned of a new threat to iPhone users associated with the use of "post-operational intervention techniques". This method allows attackers to visually deceive the user, making him believe that his iPhone is in lock mode, when in fact it is not at all, and thus conduct covert attacks.
In their report, experts described how when a device is already hacked, fraudsters can simulate the activation of the lock mode, which makes it possible to secretly control the device, using, for example, uncorrected security vulnerabilities.
Lockdown Mode, introduced by Apple last year in iOS 16, is an enhanced security measure to protect against sophisticated digital threats such as advanced spyware. The official website describes the feature as providing "ultra-reliable protection", but in practice it does not prevent malicious programs from running on a compromised device, but only minimizes the attack surface.
According to security researchers Hu Ke and Nir Avraham, the malware installed on the device can continue to run in the background, regardless of the activation of the lock mode.
An attack using a fake lock mode is achieved by intercepting functions that are activated when this mode is enabled. This creates the file "/fakelockdownmode_on" and initiates a reboot that does not affect the system kernel. This means that malicious software remains on the device even after such a reboot.
Michael Covington of Jamf, noted that tricking users into thinking that their device is working properly and additional security features are activated significantly reduces the likelihood of suspicion of a hidden threat.
It should be noted that with iOS 17, Apple moved the lock mode to the kernel level, which significantly increases security. Changes made to lock mode at the kernel level usually cannot be undone without a system reboot.
This discovery by Jamf experts follows the August one when the company demonstrated a different method on iOS 16 that allows you to secretly save access to an Apple device, deceiving the victim and making her think that airplane mode is enabled on the smartphone.
Covington emphasized that Jamf's research has shown how user interfaces can be easily manipulated. The ability to deceive users by imitating a particular system mode is a clear shift in cybersecurity threats. It is expected that such methods will be increasingly used in the future.
