A single iMessage with a seemingly harmless image, an automatically imported calendar invite, or shared smart home functionality – that's all it takes to fully compromise a device. These so-called zero-click attacks occur without the user's knowledge. They primarily target individuals whose digital communications are particularly valuable, such as journalists, politicians, and activists. To protect these individuals, Apple introduced Lockdown Mode in 2022.
Lockdown Mode is an optional security feature designed to reduce rare, sophisticated attacks by restricting and deactivating certain functions and components. Lockdown Mode is meant for individuals with an increased need for protection and is available on iPhones, iPads, Macs, and Apple Watches. Despite its importance, little research has been conducted on the implementation of Lockdown Mode.
In this talk, we will share the results of our analysis of Lockdown Mode on macOS 26. Using static and dynamic reverse engineering, including various LLDB scripts, we analyzed what Lockdown Mode looks like; which apps, daemons, and system services are protected by Lockdown Mode; and which attack vectors it is intended to reduce.
Presentation: https://www.youtube.com/live/2IaqyN3NO_0?si=5Yaxf7jBJYAN78K3&t=10879