A sophisticated post-exploitation tampering technique has been identified, enabling malicious actors to create a fake Lockdown Mode on compromised iPhones. Despite Lockdown Mode’s introduction by Apple last year as a security measure to protect high-risk individuals, the technique shows that if a hacker infiltrates the device, they can bypass Lockdown Mode and carry out covert attacks. This fake Lockdown Mode is achieved by manipulating functions triggered upon activation, creating a deceptive appearance of security while allowing malware to run in the background.
The technique exploits the separation between the user interface and the implementation reality of security features. The attacker hooks specific functions, initiating a fake Lockdown Mode by creating a file and triggering a userspace reboot. This not only deceives users into thinking their device is operating normally but also allows malware to persist even after a reboot, clandestinely spying on users.
The discovery emphasizes the evolving threat landscape and the importance of user awareness. The researchers point out the unexpected vulnerability in widely publicized security features, raising concerns about potential misuse and the need for enhanced security measures to counter such deceptive tactics. The revelation builds on a previous demonstration by the researchers of a method that could trick iPhone users into thinking their device’s Airplane Mode is enabled, maintaining access while flying under the radar. These findings underline the ease with which user interfaces can be tampered with, from phishing attacks to malware tricking users into believing safety features like Airplane Mode or Lockdown Mode are active. This evolution in social engineering techniques underscores the need for heightened vigilance and proactive security measures to counter emerging threats targeting user trust and assurance.