An often-overlooked security feature in Apple devices that makes it more difficult for cyberattacks to compromise iPhones, iPads, Macs, and Watches is getting its moment in the spotlight after proving so far effective at blocking federal agents from accessing the iPhone of a Washington Post reporter.

In a court document on January 30, U.S. prosecutors said that the FBI was unable to access the data on the phone of journalist Hannah Natanson, some two weeks after her phone was seized, reports 404 Media ($). Marcy Wheeler, who writes at emptywheel, also has an excellent post worth reading.

According to prosecutors, the FBI was blocked thanks to Lockdown Mode, which Apple bills as an "extreme protection" to defend users who think they are being targeted by cyberattacks, like government spyware, or — in this case — a mobile forensics device designed to unlock Natanson's phone.

This disclosure is the first known admission that Apple's Lockdown Mode can defeat some of the mobile unlocking tools used by the FBI. Many of the same commercial phone hacking tools are also used by other federal agencies, such as ICE, local police departments across the U.S., and globally, sometimes against protesters.

The raid on Natason's home and devices is mired in controversy. Natanson has not been accused of a crime, nor is the subject of the FBI's investigation into the government contractor who allegedly leaked classified information to her. Natanson's extensive reporting over the past year has cited more than a thousand government workers, many of whom have been critical of the Trump administration in the face of widespread cuts to the federal workforce. This reporting likely made her the target of an administration that is already bending the rules of the Fourth Amendment to go after its critics. As a journalist, Natanson is also broadly shielded under U.S. federal law from having her phone and devices raided by the government. 

All to say, if this kind of seizure can happen to Natanson, it can happen to others.

It is all the more important that independent journalists and citizens alike, who lawfully exercise their First Amendment rights by documenting and filming abuses on their phones, consider taking additional precautions to protect themselves from an increasingly unpredictable government.

That's where Lockdown Mode can help to play a part.

Lockdown Mode, which rolled out in iOS 16 in 2022, works by broadly switching off certain functions on your Apple devices, while limiting others, to block off the common ways that cyberattacks use to break into these devices. In doing so, Apple makes it significantly more difficult for malicious hackers to hack into your device, or for sensitive data, such as your location, from leaving it. 

In the case of Natanson's phone, a specific Lockdown Mode feature prevented access to her phone's data. In Apple's documentation, Lockdown Mode blocks Apple devices from allowing "direct connections" from unknown devices, including plug-in accessories (or mobile forensic devices), unless the device has been unlocked.

I've used Lockdown Mode since its launch, and after a relatively short learning curve, I found it doesn't get in the way of my everyday working life. Aside from the unseen protections, like disallowing direct connections from external accessories and devices, there are some more noticeable usability tradeoffs with Lockdown Mode that you get used to fairly quickly. A common hurdle is having to take an extra step to manually copy links from my messages app, then pasting them into my browser, rather than tapping the link preview directly. This is a simple but effective way at reducing the success of malicious attacks, like spyware sent by text message, and as a result makes it vastly more difficult for hackers or governments to steal my phone's data.

The Electronic Frontier Foundation has a great guide on what Lockdown Mode is, how it works, what it does, and what features it helps to limit for your protection.

On its own, Lockdown Mode is not a panacea, and there are plenty of other security and privacy precautions to think about as well, depending on your own personal threat model. In Natanson's case, the feds were able to get access to her cloud stored documents and her Signal texts through her linked work laptop, which was unlocked by her fingerprint.

I have some additional thoughts for "Astonishing admins" subscribers after the fold. This includes additional security steps you can take to protect yourself from real-world adversaries and why they work, such as if you're faced with a police or law enforcement situation. I also have some more about what this means for Android device users, and other resources you can consider to strengthen your mobile devices.