Apple reports zero spyware breaches for users in Lockdown Mode

Nearly four years after introducing its Lockdown Mode security feature, Apple says it has not identified a single instance where a device with the feature enabled was successfully compromised by spyware.

"We are not aware of any successful mercenary spyware attacks against a Lockdown Mode-enabled Apple device," Apple spokesperson Sarah O'Rourke said on Friday.

This marks the latest reaffirmation from the company of Lockdown Mode's effectiveness against highly sophisticated threats, building on similar claims Apple made roughly a year after the feature was first introduced.

Apple originally launched Lockdown Mode in 2022 as an optional security setting designed to protect high-risk individuals. The feature disables or restricts certain functions across iPhones and other Apple devices that are commonly exploited by advanced spyware. It was specifically created to defend against targeted surveillance tools developed by companies such as Intellexa, NSO Group, and Paragon Solutions.

In recent years, Apple has acknowledged that even its devices can be vulnerable to spyware attacks and has taken a more proactive stance in notifying affected users. The company has sent multiple waves of alerts to individuals across more than 150 countries, warning them that spyware campaigns may have targeted them. While Apple has not disclosed exact figures, the number of impacted users is believed to be at least in the dozens, if not higher.

Donncha Ó Cearbhaill, who leads the security lab at Amnesty International and has investigated numerous spyware incidents, said that neither he nor his team has observed a successful compromise of an iPhone where Lockdown Mode was active at the time of the attack.

Organisations focused on digital rights and cybersecurity, including Amnesty International and the University of Toronto’s Citizen Lab, have documented multiple cases of spyware targeting Apple devices. However, none of those investigations has identified a scenario in which Lockdown Mode was bypassed. In at least two separate incidents, Citizen Lab researchers reported that Lockdown Mode actively blocked attempted infections — one involving NSO Group’s Pegasus spyware and another linked to Predator, a tool associated with Intellexa.

In one documented case analysed by researchers at Google, the spyware appeared to abandon its attack entirely upon detecting that Lockdown Mode was enabled, suggesting that attackers may deliberately avoid engaging with devices that use the feature to reduce the risk of exposure.

Apple security expert Patrick Wardle described Lockdown Mode as one of the most aggressive protective measures ever introduced for consumers. According to him, the feature significantly reduces the number of potential entry points attackers can exploit.

By limiting functionalities such as message attachments and certain web features, Lockdown Mode effectively narrows the attack surface available to spyware developers. This forces attackers to rely on more complex, costly, and less scalable methods to attempt intrusions.

Wardle noted that the feature "kills entire delivery mechanisms and exploit classes," particularly those used in zero-click attacks — techniques that allow devices to be compromised without any user interaction.

While it remains theoretically possible that a sophisticated attack could bypass Lockdown Mode without being detected, no such case has been confirmed by Apple or independent researchers to date. Given Apple's typically cautious communication around security matters, the company's continued confidence in the feature underscores its significance.

For users, Lockdown Mode operates quietly in the background, though it does introduce some usability trade-offs. Certain actions, such as opening links in messages, may require additional steps, and some features are intentionally restricted.

Despite these minor inconveniences, security professionals widely recommend enabling Lockdown Mode for individuals who believe they may be at risk of targeted digital surveillance or advanced cyberattacks.