Website Design

Websites Can Identify If You’re Using New iPhone Lock Mode

A woman using an iPhone.

Image: Urupong/Getty Images

Once Apple launches the new operating system for iPhone and iPad early next month, users will be able to activate a new privacy mode that the company calls “extreme”. It is designed for journalists, activists, politicians, human rights defenders and anyone else who fears being targeted by sophisticated hackers, perhaps working for governments armed with corporate-created spyware. such as NSO Group. Apple calls it “Lock modeand it works by disabling some regular iPhone features that have been exploited to hack users in the past.

But if users enable lockdown mode, they will be easy to identify and identify, according to a developer who has created a proof-of-concept website that detects whether lockdown mode is enabled or not.

John Ozbay, CEO of privacy-focused company Cryptee and privacy activist, told Motherboard that any website or online advertisement can detect if certain regular features are missing, such as loading custom fonts, one of the features that lockdown mode disables.

“Let’s say you’re in China and you’re on lockdown mode. Now any website you visit can effectively detect that you are using lockdown mode, they also have your IP address. So they can actually identify that the user with that IP address is using lockdown mode,” Ozbay said during a call. “It’s a trade-off between security and privacy. [Apple] chose safety.

Do you work or have you worked at Apple? We would love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

Ozbay said there are several features Lockdown Mode disables that websites could detect, but the lack of loading custom fonts is “the easiest thing to detect and exploit.”

“It took us five minutes to put the code together and see if it worked,” he said.

This issue, which is technically not a bug but just a specific design flaw of Lockdown Mode, could paint a massive target on the backs of users who are probably Apple’s most vulnerable users. Unfortunately, there may be no way around this.

“As far as fingerprints are concerned, this is unfortunately a compromise that we always have to deal with. The same goes for Tor and the Tor Browser – they go out of their way to reduce any fingerprinting capability, but you end up standing out because you’re the one with the least traceable fingerprints,” Ryan Stortz, an independent security researcher who has studied iOS, told Motherboard.

Ozbay created a proof of concept website which detects if the visitor is using lockdown mode. The motherboard has verified that it works by visiting the website with an iPhone without lock mode enabled and asking Stortz, who has lock mode enabled, to visit the site.


A screenshot of the proof of concept website created by Ozbay. (Picture: motherboard)

Ozbay reached out to an Apple employee on Twitter and had a chat with him about the issues he found. The employee, according to screenshots of their chat, told him that “web fonts are intentionally disabled to remove font scanning from the available web attack surface” and that “dot-point attacks water are part of our threat model, so I’m not sure it would make sense to have web font exceptions per site.Attacks on water points are exploits where hackers lure a victim to a known website where they have injected malware, or an impersonator of a known website that distributes malware.)

In other words, there is nothing Apple can do at this time to alleviate this issue without fundamentally changing how lockdown mode works.

Apple did not respond to a request for comment.

Even if Apple doesn’t make any changes, Stortz hopes that if enough people activate lockdown mode, everyone will blend in and it will be harder to identify as an interesting target.

“Obviously you have to go into lockdown mode and somehow signal that you think you might be of interest to a nation-state attacker, but Apple has also made enabling it extremely easy,” he said. declared. “So ideally you’d be lost in the crowd of more privacy-conscious people without the targeted spying issues.”

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button