Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's secure Lockdown Mode may reduce web browsing anonymity

Lockdown Mode

Last updated

Apple's new Lockdown Mode significantly increases the security of your iPhone, but the way it works could actually decrease your device's privacy while browsing online.

Lockdown Mode is an extreme security setting meant for high-risk groups — like journalists and political figures — who may find themselves targeted by nation-states or other malicious actors. It works by disabling a number of system functions, like blocking message attachments and web technologies.

However, Lockdown Mode's feature restriction could make it easy for websites to figure out if someone is using the high-security setting, John Ozbay, CEO of privacy firm Cryptee, told Motherboard.

That's because websites can detect if some regular features — such as custom fonts — are missing on a device. This is called fingerprinting, and it relies on collecting information about a user's browser, device, and other metrics

When you take into account that websites can tie your iPhone's Lockdown Status to your IP address, it becomes clear that the high-risk security mode could be a privacy risk itself.

In other words, it's trading anonymity online with higher security. As Ozbay explained to AppleInsider, "Lockdown Mode makes you safer, but also makes you easier to identify in a crowd."

To prove his point, Ozbay and the Cryptee team put together a proof of concept that can detect whether a user is in Lockdown Mode. According to Ozbay, the code took about "five minutes" to write.

The fact that websites can detect when a device is in Lockdown Mode is not a bug but a result of how the system is designed to make iPhones more secure. There's no way to mitigate the privacy drawbacks.

"Apple is doing a good job, but I wanted to raise awareness of a tradeoff that happens with Lockdown Mode," Ozbay told AppleInsider. "Think about it this way, if you were to set up tall barbed wire around your house, add cameras, hire guards, dogs, etc., it would keep you 'safe' but attract attention, and you could be identified."

Similar privacy - or security-focused platforms, like as the Tor browser, have similar issues. For example, while Tor goes to great lengths to reduce website fingerprinting, users of the anonymous browser typically end up standing out because their browsers are the only ones with a set of specific settings.

Ozbay reportedly reached out to Apple and spoke with an engineer. That Apple staffer explained that the feature intentionally disables web fonts to reduce the online attack surface. Because of the threat model that Lockdown Mode addresses, they said that it wouldn't make sense to make an exception for custom fonts.

Ryan Stortz, an independent security researcher, says that if enough people turn on Lockdown Mode, they'll blend in and it will be harder for websites to detect an interesting target.



18 Comments

mike1 3437 comments · 10 Years

So, does putting a security company sign on your window make you more likely for a break in because it implies you have something worth having an alarm for? Or does it make you less likely because the thief will just decide to move on to an easier target?

tarman 5 comments · 9 Years

Wouldn’t using a VPN solve the issue?

jkdman123 5 comments · 11 Years

tarman said:
Wouldn’t using a VPN solve the issue?

It might solve the issue of associating lock down mode with your IP address, but you’d still be noticeable to the website for using lock down mode, and may be targeted some other way. And you’d be relying on the security of the VPN company, which seems to vary greatly, to keep your IP address safe.

retrogusto 1140 comments · 16 Years

Would Private Relay help to mitigate this?

xyzzy-xxx 201 comments · 6 Years

Apple should prevent websites from being able to detect if Lockdown Mode has been activated.