In context: Apple has designed its upcoming Lock Mode feature to protect devices against spyware. However, the head of a privacy startup believes websites can easily identify who is using lockdown mode, potentially exposing them despite the feature’s purpose.
John Ozbay, head of privacy technology company Cryptee, told Vice that he thinks Apple’s next lock mode will be very sensitive to device fingerprints. This basic design flaw could paint a target on users who enable the mode to avoid tracking methods like spyware.
Lock Mode, which will come with iOS 16, iPadOS 16 and macOS Ventura when they launch this fall, is Apple’s answer to spyware from developers like NSO Group and RCS Labs. Both organizations have created spyware that governments have used to track diplomats, politicians, journalists and activists.
Apple designed Lockdown Mode so users can temporarily secure their devices by restricting many networking features. When enabled, it disables certain features in web browsers and the Messages app that could be vectors for spyware and other types of malware. It will also block FaceTime calls from new numbers, disable wired connections, restrict mobile device management, and deploy other protections.
With this proof of concept, my goal was to start a conversation about the topic of security/privacy trade-offs and what enabling LM might mean for users at risk. Maybe everyone will agree with this compromise, but I thought it was important to have this conversation first
— johnozbay (@johnozbay) August 25, 2022
However, the absence of these specific features could tell websites that a visitor is using lockdown mode. Some sites and advertisements use fingerprinting to identify and track devices without cookies by analyzing a combination of characteristics: IP addresses, installed fonts, user agents, screen resolution, plugins, or what features users have opted out of.
Ozbay successfully tested his theory by creating a website that could detect if a device had activated lockdown mode, which he said took Cryptee five minutes. If a website obtains a user’s IP address and knows they’re using lockdown mode, it could draw attention to those taking extra steps to protect their privacy.
Apple told Ozbay that lockdown mode disables web fonts, which removes a detail by which websites can fingerprint devices. It’s currently unclear what other measures the upcoming feature will take to combat fingerprints.
Security researcher Ryan Stortz hopes a large number of users will activate lockdown mode, which will make individual targets harder to identify by mixing them up in a crowd.