With iOS 16 Apple has introduced a new extreme security mode called the Lockdown mode. When enabled on iPhone, iPad or Mac the Lockdown mode protects individuals that are targets of high level state sponsored attacks.
While the news of Lockdown mode was received with positive sentiments by privacy advocates, it looks like this new feature might pose some threats to its users.
This was highlighted by a privacy activist who says a website would be able to detect if someone is using their Apple device with Lockdown mode turned on. This information could be valuable to a rogue government, as after detecting Lockdown mode on a device, they would know that this person is using iPhone’s Lockdown mode because they think they might be a target to highly sophisticated attacks and have something to hide – making them an even bigger target.
When Lockdown mode is enabled on iOS or macOS device, it prevents the web browser from loading custom fonts from a website, as such fonts can potentially be used to inject malware into the device. So when a device stops a website from loading custom fonts, that website will be able to determine that the device might have the lockdown mode turned on.
Here’s what CEO of privacy focused company Cryptee John Ozbay told Motherboard.
“Let’s say you’re in China, and you’re using Lockdown Mode. Now, any website that you visit could effectively detect you are using Lockdown Mode, they have your IP address as well. So they will actually be able to identify that the user with this IP address is using Lockdown Mode,” Ozbay said in a call. “It’s a tradeoff between security and privacy. [Apple] chose security.”
Ozbay said that there are several features that Lockdown Mode disables, and that websites could detect, but the lack of loading custom fonts is “the easiest thing to detect and exploit.”
While this information may be alarming for those who the Lockdown mode is designed for, normal users do not need to worry or have the need to enable Lockdown mode on their device.
And those who require such extreme level of security can simply avoid visiting websites that they believe might pass on this information to a government who is after them.