This case is a significant real-world validation of Lockdown Mode's effectiveness against state-level forensic capabilities. What's particularly noteworthy is that CART (the FBI's Computer Analysis Response Team) couldn't extract the device - not that they partially succeeded or got metadata. This suggests that even with physical access and federal resources, the combination of a powered-on device in Lockdown Mode created an insurmountable barrier.
For journalists covering sensitive topics, this demonstrates that Lockdown Mode isn't just theoretical protection against nation-state spyware - it's also practical defense against domestic forensic tools. The trade-off in usability (disabled JIT, limited iMessage features, etc.) seems worth it for anyone handling confidential sources.
The interesting question now is whether this will accelerate efforts to legally compel password disclosure, since the technical extraction route appears blocked.y
About Lockdown Mode [0]
> Lockdown Mode helps protect devices against extremely rare and highly sophisticated cyber attacks.
> What is Lockdown Mode?
> Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.
> When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all.
> Lockdown Mode is available in iOS 16 or later, iPadOS 16 or later, watchOS 10 or later, and macOS Ventura or later. Additional protections are available starting in iOS 17, iPadOS 17, watchOS 10, and macOS Sonoma.
Details at the link. [0]
It sure doesn't sound like much of a lockdown to me.
The things that Lockdown Mode disables actually massively reduce attack surface at the expense of user experience.
For example, Graphite, the spyware used by Paragon gets stopped in its tracks by Lockdown Mode as it disables link previews in iMessage (probably one of the more vulnerable apps due to it’s system privileges alongside Safari I believe) which can prevent zero-click attacks: https://citizenlab.ca/research/first-forensic-confirmation-o....
The NSO Group’s Pegasus and BlastPass spywares are also stopped with Lockdown Mode (in Pegasus’ case, zero-click exploits at minimum are thwarted).
Lockdown Mode’s USB protection is also effective at stopping Cellebrite, although it’s means of protection isn’t as comprehensive as GrapheneOS’s usb-blocking feature.
It also disables (among other things) Safari’s JIT compiler/V8 and WebAssembly which are some of the biggest attack vectors for web-based malware.
I noted it in the Apple Platform Security thread but I would like to also see Lockdown Mode have full synchronous across the board MTE which would be a big feature but I understand that this can introduce a severe performance regression.
I can see how the USB lock would stop Cellebrite, and perhaps that's all that CART had available, but I didn't see the other features as meaningful to a device with physical access.
Those features are definitely useful for internet-based attacks.
"New court record from the FBI details the state of the devices seized from Washington Post reporter Hannah Natanson"
This is high profile espionage case related to leak of TOPSECRET documents, therefore probably all possible tech was used to gain access to the devices.
Page 5:
In the upstairs of the house, investigators located a powered-off silver MacBook Pro with a black case, an Apple iPhone 13, a Handy branded audio recording device, and a Seagate portable hard drive. See id. ¶ 26. Investigators seized these devices. The iPhone was found powered on and charging, and its display noted that the phone was in “Lockdown” mode
Page 6:
The Computer Analysis Response Team (CART) began processing each device to preserve the information therein. The Handy recorder and the Seagate portable drive have been processed, but no review has occurred. See id. ¶ 37. Because the iPhone was in Lockdown mode, CART could not extract that device. See id. ¶ 35. Similarly, the personal MacBook Pro could not be imaged yet. See id. ¶ 36. The Garmin watch was not processed before this Cout’s Standstill Order, and no further processing will occur until further order of the Court. See id. ¶ 37
Source: https://storage.courtlistener.com/recap/gov.uscourts.vaed.58...
——-
The above was from /u/treasoro on reddit: https://www.reddit.com/r/privacy/comments/1qsmy8g/fbi_was_no...
I was wondering how this sort of thing would play out, now that the oligarch's preferred autocrat is in office.
Honestly I wouldn’t put it past officials in the current environment to just (attempt to) hold someone in jail indefinitely until they decide to comply and give up their passwords.