As a paranoid journalist, I am an enthusiastic user of Apple’s opt-in “extreme protection” feature, Lockdown Mode.
Apple launched Lockdown Mode in 2022, and since then the security feature is considered a must-use for dissidents in corrupt countries, human-rights defenders in oppressive regimes, and journalists speaking truth to power.
Lockdown Mode is designed to switch off some features in iPhones, iPads, and Macs, with the goal of reducing the likelihood that hackers armed with sophisticated spyware or zero-days — unknown flaws in systems that allow attackers to stealthily exploit them — can successfully break Apple’s operating system protections and spy on its users.
In practice, Lockdown Made removes some normal Apple device features, such as fonts loaded from the internet that can track you, the ability to receive certain types of files, your location data from photos that you share, support for 2G cellular connectivity, and letting people who haven’t contacted you before reach you over FaceTime and iMessage; although it’s unclear if the latter is the case (more on that later).
In exchange for these nuisances, Lockdown Mode makes it harder for you to get hacked, even by some of the most advanced hackers out there.
Lockdown Mode already has a track record of blocking those advanced attacks. Apple says it is not aware of any successful hack against its users who have enabled Lockdown Mode, and digital rights group Citizen Lab have documented an attempted spyware attack blocked by Lockdown Mode. I, too, have personally heard some people in the offensive security industry complain about Lockdown Mode making their exploits more difficult.
But three years after its debut, exactly how Lockdown Mode works is still shrouded in obscurity, and lacks explanations into the reasoning behind what actions Lockdown Mode takes. And, some of Lockdown Mode’s notifications are downright confusing, unexplained, or seemingly random, which might discourage some users from using Lockdown Mode altogether.
Blocked, but why?
Let me preface this by saying that people who are at risk from government hackers must use Lockdown Mode, even considering the restrictions that come with it.
Those restrictions are not the problem. Lockdown Mode’s notifications have become increasingly puzzling.
Case in point: The other day, I received this Lockdown Mode notification (below) out of nowhere, mentioning someone by name who I haven’t talked to in months, and from whom I did not receive a message or a call afterwards. Following this notification, when I asked if she tried to contact me, she said that no, she did not.
Someone also told me that as they were scrolling through their contacts, one of their friends saw a “Lockdown Mode blocked…” notification with his name on, suggesting Lockdown Mode can be triggered simply by viewing someone’s contact.
But…why?
For months I have been getting the same notification telling me that Lockdown Mode blocked someone “from contacting” me, every time I use iMessage, and it always mentions someone I know, and who is already in my contacts.
These notifications often pop up when I am already messaging that person on iMessage, which makes it unclear if I am going to stop getting their messages, or worse, that some of their messages have already disappeared thanks to Lockdown Mode.
Hell, maybe this means I am getting hacked, or at least targeted? Should I get my phone checked every time I get one of these notifications?
It turns out I can still keep chatting with the very people that Lockdown Mode claims to have blocked. These people are quite literally contacting me, and I am chatting with them. What is Lockdown Mode actually doing here?
Contact Us
Have you seen any strange Lockdown Mode notifications? Or do you do security research on Lockdown Mode? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Tapping on Lockdown Mode notifications does nothing. You aren’t redirected to an Apple website that explains what Lockdown Mode is or does, nor does it explain what these notifications specifically mean.
“I don’t think these messages are helpful. They do not include any context and are not actionable, nor is there a way to figure out what’s going on,” Runa Sandvik, a hacker who has a startup that helps journalists and other high risk people protect themselves, told TechCrunch. “I’d love to see Apple either share more information so that we know what to ‘do’ with them, or not display them at all.”
Sandvik and I are not the only ones left scratching our chins every time we see Lockdown Mode notifications. When I wrote about my concerns about Lockdown Mode on social media, several people responded publicly — and in private — saying they have had similar experiences, and are also confused.
My editor Zack Whittaker, for example, has for months been sporadically getting Lockdown Mode notifications saying “an unknown contact attempted to share control of Apple Music,” as well as a notification that Lockdown Mode “blocked Focus Sharing,” and won’t be shared with other people when in Lockdown” (I also get this notification from time to time.)
To the lab we go
I decided to run an experiment with the help of Harlo Holmes, chief information security officer and the director of digital security at Freedom of the Press Foundation, a non-profit that helps support the free press. I wondered if it made any difference — in terms of triggering the confusing notifications — whether someone not in my contacts tried to reach out to me with Lockdown Mode enabled on my phone, and what type of content it would block.
We both deleted each other from our contact lists (we’re still friends though), and started chatting for the first time ever on iMessage. When Holmes texted me — and neither of us were in each others’ contact lists — I received the “Lockdown Mode blocked…” notification, this time displaying her phone number. I still received her message.
We exchanged text, emojis, a cat picture, and iMessage “stickers.” All of these went through, except for the stickers, which turned to either a Unicode character of a question mark, or a nondescript file attachment, which can’t be opened, even if you tap on it:
When this happened, both Holmes and I could still see the stickers we sent from our own phones, meaning the blocking was only visible to the recipient. That is also the case for the “Lockdown Mode blocked…” notification. I received the notification, but Holmes didn’t know I got it.
This makes sense, as Apple wouldn’t want to tip-off government hackers that their attempt to hack someone not only didn’t work, but also alerted the targeted individual that something went wrong.
That’s good to know, and again, I am happy Lockdown Mode blocks something, and makes me safer, but I still don’t know what these notifications are supposed to tell me.
I reached out to Apple asking them for some explanations, but an Apple spokesperson did not provide on the record remarks by press time. At least the spokesperson acknowledged receiving my message, so I know Lockdown Mode didn’t block it.
