Apple's secure Lockdown Mode may reduce web browsing anonymity

Posted:
in iPhone edited August 2022
Apple's new Lockdown Mode significantly increases the security of your iPhone, but the way it works could actually decrease your device's privacy while browsing online.

Lockdown Mode
Lockdown Mode


Lockdown Mode is an extreme security setting meant for high-risk groups -- like journalists and political figures -- who may find themselves targeted by nation-states or other malicious actors. It works by disabling a number of system functions, like blocking message attachments and web technologies.

However, Lockdown Mode's feature restriction could make it easy for websites to figure out if someone is using the high-security setting, John Ozbay, CEO of privacy firm Cryptee, told Motherboard.

That's because websites can detect if some regular features -- such as custom fonts -- are missing on a device. This is called fingerprinting, and it relies on collecting information about a user's browser, device, and other metrics

When you take into account that websites can tie your iPhone's Lockdown Status to your IP address, it becomes clear that the high-risk security mode could be a privacy risk itself.

In other words, it's trading anonymity online with higher security. As Ozbay explained to AppleInsider, "Lockdown Mode makes you safer, but also makes you easier to identify in a crowd."

To prove his point, Ozbay and the Cryptee team put together a proof of concept that can detect whether a user is in Lockdown Mode. According to Ozbay, the code took about "five minutes" to write.

The fact that websites can detect when a device is in Lockdown Mode is not a bug but a result of how the system is designed to make iPhones more secure. There's no way to mitigate the privacy drawbacks.

"Apple is doing a good job, but I wanted to raise awareness of a tradeoff that happens with Lockdown Mode," Ozbay told AppleInsider. "Think about it this way, if you were to set up tall barbed wire around your house, add cameras, hire guards, dogs, etc., it would keep you 'safe' but attract attention, and you could be identified."

Similar privacy - or security-focused platforms, like as the Tor browser, have similar issues. For example, while Tor goes to great lengths to reduce website fingerprinting, users of the anonymous browser typically end up standing out because their browsers are the only ones with a set of specific settings.

Ozbay reportedly reached out to Apple and spoke with an engineer. That Apple staffer explained that the feature intentionally disables web fonts to reduce the online attack surface. Because of the threat model that Lockdown Mode addresses, they said that it wouldn't make sense to make an exception for custom fonts.

Ryan Stortz, an independent security researcher, says that if enough people turn on Lockdown Mode, they'll blend in and it will be harder for websites to detect an interesting target.

Read on AppleInsider

Comments

  • Reply 1 of 18
    mike1mike1 Posts: 3,335member
    So, does putting a security company sign on your window make you more likely for a break in because it implies you have something worth having an alarm for? Or does it make you less likely because the thief will just decide to move on to an easier target?
    edited August 2022 sdw2001tdknoxwatto_cobrajony0
  • Reply 2 of 18
    Wouldn’t using a VPN solve the issue?
    watto_cobra
  • Reply 3 of 18
    tarman said:
    Wouldn’t using a VPN solve the issue?
    It might solve the issue of associating lock down mode with your IP address, but you’d still be noticeable to the website for using lock down mode, and may be targeted some other way. And you’d be relying on the security of the VPN company, which seems to vary greatly, to keep your IP address safe.
    WhiskeyAPPLEciderwilliamlondonAlex_Vwatto_cobrajony0
  • Reply 4 of 18
    retrogustoretrogusto Posts: 1,122member
    Would Private Relay help to mitigate this?
    williamlondonwatto_cobra
  • Reply 5 of 18
    Apple should prevent websites from being able to detect if Lockdown Mode has been activated.
  • Reply 6 of 18
    When you take into account that websites can tie your iPhone's Lockdown Status to your IP address, it becomes clear that the high-risk security mode could be a privacy risk itself.

    How though? How can a website detect your lockdown status? It isn’t able to detect operating system level settings the way a native app might, the same way it can’t know what files are on your hard drive. It just gets what the browser exposes through languages like JavaScript.

    The article doesn’t fully explain this. Curious to learn more.

    watto_cobra
  • Reply 7 of 18
    Could the phone send out false info for the services blocked to make it appear that the phone is not in locked down mode?
    bageljoeywatto_cobra
  • Reply 8 of 18
    22july201322july2013 Posts: 3,647member
    It's a believable report, but if 1% of iOS's billion users turn on Lockdown mode, then that makes it harder to use this technique to gain any advantage.

    Evil governments (eg, China) have several options at their disposal:
    • they can make it illegal for Apple to include Lockdown mode as part of iOS in their country;
    • they can pass a law making it illegal for users who somehow obtain Lockdown mode from turning it on;
    • they can do random spot checks on citizens of their country. (Remember, there are no fourth amendment rights in evil countries.) If you are caught with Lockdown mode turned on, you (and/or your family) go to jail;
    • they can do IP-location tracking (except when Private Relay is being used) to find people who are using Lockdown mode and send them to jail.
    If the fourth bullet above is being hindered by Apple Private Relay, then any evil government could use the same steps above against Private Relay. I would point out that Apple Private Relay is ALREADY not available in China, which essentially means that China has already performed step #1 above on Apple Private Relay.

    You see, evil governments are already doing at least one of the steps above:
    "Apple says that Private Relay will not be available in China when it launches to the public later this year. It will also be unavailable in Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines. The company attributed these limitations to regulatory reasons."
    "Regulatory reasons"? Try "lack of human rights" instead. But I can't blame Apple for this human rights issue.
    watto_cobrabaconstangjony0
  • Reply 9 of 18
    danoxdanox Posts: 3,125member
    The new Ad and content Apple can’t possibly get it right, why because they don’t want too.
    williamlondon
  • Reply 10 of 18
    danoxdanox Posts: 3,125member
    tarman said:
    Wouldn’t using a VPN solve the issue?
    Are there any programs like Little Snitch in the Apple store? If not there’s your answer.
    williamlondon
  • Reply 11 of 18
    22july201322july2013 Posts: 3,647member
    tarman said:
    Wouldn’t using a VPN solve the issue?
    VPNs are banned by evil governments (like China) unless the VPN provides a back door for the government to gain full access.

    Actually, China hasn't officially banned all VPNs, but they do ban most VPN products, and the government sometimes threatens to ban all of them. I think the reason they don't ban all of them is because then they would have to ban the ones that give them a back door to your phone.

    If you are a tourist entering China, they can (and do) look at your phone and insist that you delete your VPN apps. Sometimes they install spyware.

    watto_cobra
  • Reply 12 of 18
    When you take into account that websites can tie your iPhone's Lockdown Status to your IP address, it becomes clear that the high-risk security mode could be a privacy risk itself.

    How though? How can a website detect your lockdown status? It isn’t able to detect operating system level settings the way a native app might, the same way it can’t know what files are on your hard drive. It just gets what the browser exposes through languages like JavaScript.

    The article doesn’t fully explain this. Curious to learn more.

    It’s not that the lockdown mode a website can detect, it’s the lack of information a website can get from your device. And because a typical combination of information cannot be retrieved from your iPhone, that itself fingerprints your device as an iPhone with Lockdown turned on, because other phones share other combinations of information that can or cannot be retrieved. 
    Only if all phones would restrain from sharing the same information (i.e. have the same type of lockdown mode) only then you’d be anonymous. 
    watto_cobrajony0
  • Reply 13 of 18
    22july201322july2013 Posts: 3,647member
    Apple doesn't say exactly which iOS features are locked down, but I'd like to prompt some concern by making comparisons to the kind of information a devious company can get from a telephone call, or from someone using a mouse on a website.

    When a person answers the telephone with "Hello?" they are giving away all kinds of information that the caller, who is often a robo-dialer, can use against you. That one word gives away your age, your sex, your language, and more. Even your accent might be able to geo-locate you within 100 miles. In England, they can currently geo-locate you (using your accent) within 20 miles (before BBC TV was widespread, the geo-location distance from your voice was 5 miles.) They can record all the information they can infer from your response, and sell that information to other companies. These companies aren't even subject to UK law because they aren't based in the UK.

    These days, javascript code running on a website can easily tell your height (because the curvature of the arc when you move your mouse a long distance gives away the length of your wrist or forearm, depending on how you move your mouse.) And your height has a correlation to your sex. So they can tell your sex from your mouse's motion. The correlation isn't 100% accurate, of course, but it's good enough to improve the effectiveness of ad choices. All the inferences they make from innocent-looking data are deep trade secrets. Like the phone example above, these companies can be foreign-located, and therefore unrestricted in obtaining and recording personal data from you like your religion, race, handicapped status, health, prescriptions, gender orientation, etc.

    Web browsers also say "Hello" in their interaction with websites. If you want to see some of the things they offer to the web server, may I suggest visiting this site: (I have never seen this website prior to one minute ago. I don't know much about it.) These are some of the things that Apple probably blocks.

    https://privacy.net/analyzer/ <--
    freeassociate2appleinsideruserbaconstangjony0
  • Reply 14 of 18
    maltzmaltz Posts: 475member
    xyzzy-xxx said:
    Apple should prevent websites from being able to detect if Lockdown Mode has been activated.

    That's like saying that a burglar shouldn't be able to tell if your front door is locked.  Any effective security measure will inherently give away the fact that you're using it.
    edited August 2022 watto_cobrabaconstang
  • Reply 15 of 18
    maltz said:
    xyzzy-xxx said:
    Apple should prevent websites from being able to detect if Lockdown Mode has been activated.
    That's like saying that a burglar shouldn't be able to tell if your front door is locked.  Any effective security measure will inherently give away the fact that you're using it.
    Not necessarily.

    There are steps Apple could take in the future to mitigate this problem. For example, one of the ways this article implies that Secure mode is being deduced is by the restricted list of available fonts. Apple could make safari lie about available fonts in secure mode - for example, it could pull the list of available fonts from a few million web visitors who aren't using secure mode, and use that data to generate a list of available fonts to lie to a website (or its javascript) if asked. The list would be different day to day, with each font appearing as often statistically as determined by the observed visitors to apple.com.

    The basic idea of hiding information from adversaries is old and well-studied, and has shown up in many different times and ways throughout human history. For example, famously, it was a key problem facing Bletchley Park in world war II (how do we take advantage of knowing the Germans' codes, without revealing that we know them?). Apple's problem here is in some ways not very different - how do we hide information, without revealing that we're hiding it?

    For fun, not the same but a related idea, look up Steganography.
    watto_cobra
  • Reply 16 of 18
    22july201322july2013 Posts: 3,647member
    maltz said:
    xyzzy-xxx said:
    Apple should prevent websites from being able to detect if Lockdown Mode has been activated.
    That's like saying that a burglar shouldn't be able to tell if your front door is locked.  Any effective security measure will inherently give away the fact that you're using it.
    Not necessarily. There are steps Apple could take in the future to mitigate this problem. For example, one of the ways this article implies that Secure mode is being deduced is by the restricted list of available fonts. Apple could make safari lie about available fonts in secure mode - for example, it could pull the list of available fonts from a few million web visitors who aren't using secure mode, and use that data to generate a list of available fonts to lie to a website (or its javascript) if asked. The list would be different day to day, with each font appearing as often statistically as determined by the observed visitors to apple.com.
    Sure, Apple (iOS) can lie all it wants. But then when the website provides data using those fonts, what should iOS do? If it's lying about support a font, then that font is delivered by the web server, does it fail to show the text to the end user? If it's not failing to show the text, then it's telling the truth about supporting the font. I don't think you have thought this through.
    mike1watto_cobramaltz
  • Reply 17 of 18
    maltz said:
    xyzzy-xxx said:
    Apple should prevent websites from being able to detect if Lockdown Mode has been activated.
    That's like saying that a burglar shouldn't be able to tell if your front door is locked.  Any effective security measure will inherently give away the fact that you're using it.
    Not necessarily. There are steps Apple could take in the future to mitigate this problem. For example, one of the ways this article implies that Secure mode is being deduced is by the restricted list of available fonts. Apple could make safari lie about available fonts in secure mode - for example, it could pull the list of available fonts from a few million web visitors who aren't using secure mode, and use that data to generate a list of available fonts to lie to a website (or its javascript) if asked. The list would be different day to day, with each font appearing as often statistically as determined by the observed visitors to apple.com.
    Sure, Apple (iOS) can lie all it wants. But then when the website provides data using those fonts, what should iOS do? If it's lying about support a font, then that font is delivered by the web server, does it fail to show the text to the end user? If it's not failing to show the text, then it's telling the truth about supporting the font. I don't think you have thought this through.
    Seriously? There are difficult issues here, but that's not one of them. Along with generating the master list of popular fonts, you create a map from those fonts to built-in phone fonts, choosing the ones with the most similar metrics. Keep track of different character sets, and possibly download a few necessary fonts when enabling secure mode.
    watto_cobra
  • Reply 18 of 18
    StrangeDaysStrangeDays Posts: 12,964member

    These days, javascript code running on a website can easily tell your height (because the curvature of the arc when you move your mouse a long distance gives away the length of your wrist or forearm, depending on how you move your mouse.) And your height has a correlation to your sex. So they can tell your sex from your mouse's motion. The correlation isn't 100% accurate, of course, but it's good enough to improve the effectiveness of ad choices. All the inferences they make from innocent-looking data are deep trade secrets. Like the phone example above, these companies can be foreign-located, and therefore unrestricted in obtaining and recording personal data from you like your religion, race, handicapped status, health, prescriptions, gender orientation, etc.
    Can you share a link that demonstrates this? I can't find any web dev info on how to easily determine this. Which JavaScript frameworks do this? Where can I see it in action? I can't find any sites uses such code. What should I be searching for to see this done or read developer discussion on how to parse good mouse movement data from bad in order to do so accurately? I found nothing.
    edited August 2022 watto_cobramuthuk_vanalingamjony0
Sign In or Register to comment.