In context: Apple designed its upcoming Lockdown Mode feature to protect devices against spyware. However, the head of a privacy startup thinks websites can easily identify who is using Lockdown Mode, potentially exposing them despite the functionality’s purpose.
John Ozbay, head of privacy tech company Cryptee, told Vice he thinks Apple’s upcoming Lockdown Mode will be highly susceptible to device fingerprinting. This core design flaw could paint a target on users who engage the mode to avoid tracking methods like spyware.
Lockdown Mode, which will come with iOS 16, iPadOS 16, and macOS Ventura when they launch this fall, is Apple’s answer to spyware from developers like NSO Group and RCS Labs. The two organizations created spyware that governments have used to track diplomats, politicians, journalists, and activists.
Apple designed Lockdown Mode so users can temporarily secure their devices by restricting many networking features. When activated, it will disable some features in web browsers and the Messages app that could be vectors for spyware and other kinds of malware. It will also block FaceTime calls from new numbers, disable wired connections, restrict mobile device management, and deploy other protections.
With this proof-of-concept, my goal was to start a conversation around the topic of security/privacy trade-offs and what enabling LM could mean for at-risk users. Perhaps everyone’s going to be okay with this trade-off, but I figured it’s important to have this conversation first
— johnozbay (@johnozbay) August 25, 2022
However, the absence of these specific features could tell websites that a visitor is using Lockdown Mode. Some sites and ads use fingerprinting to identify and track devices without cookies by analyzing a combination of characteristics: IP addresses, installed fonts, user agents, screen resolution, plugins, or what functionality users have disengaged.
Ozbay successfully tested his theory by building a website that can detect whether a device has activated Lockdown Mode, which he says took Cryptee five minutes. If a website gets a user’s IP address and knows they are using Lockdown Mode, it could bring attention to those taking extra lengths to guard their privacy.
Apple told Ozbay that Lockdown Mode disables web fonts, which removes one detail by which websites can fingerprint devices. It’s currently unclear what other measures the upcoming feature will take to fight fingerprinting.
Security researcher Ryan Stortz hopes that large numbers of users enable Lockdown Mode, making individual targets harder to identify by blending them into a crowd.