It came out today, which means it should be assumed insecure against state sponsored actors until proven otherwise with overwhelming evidence, not we should give it the benefit of the doubt because maybe they really did it the 57th time after 56 total failures.
For that matter, it is not like they could not provide such evidence even though it came out today. It has presumably been in development for some time, so if they did actually provide verifiable protection against state sponsored attackers they could just release their formal proofs of security to that effect and be done with it or at least preliminary certification evidence demonstrating protection against high attack potential attackers as outlined in the international Common Criteria standard via AVA_VAN.5.
iOS is already certified according to Common Criteria as their only advertised security certification, just at the lowest possible level, and it already has a certification for high attack potential attackers, so doing this would be consistent with their existing certification regime and provide clear evidence supporting their claims.
Absent that, I see no independent verifiable evidence of any of their claims, endless precedent to dispute their claims, and not even a token effort to provide even a sliver of objective backing for their claims.
So why should I or anybody else reject the standard wisdom of “you are screwed if state sponsored attackers are interested in you and there is no product that can help you” and instead believe Apple’s marketing that they can?
It came out today, which means it should be assumed insecure against state sponsored actors…
What was announced today is the first version of a feature in a beta version of an operating system that won’t be released for at least 2 months from now. Chill.
I’m sure there will be the requisite white paper, statements from security experts, verification from industry groups, presentations at security conferences, etc.
In the meanwhile, from what little we know now, it seems to be heading in the right direction.
Okay, point me to a single white paper or certification that can demonstrably, reliably differentiate between
products that can protect against state-sponsored attackers and products that can not, and show any Apple product that has been verified against that standard to protect against state-sponsored attackers.
I will start by pointing out such a standard, the Common Criteria, which can reliably reject systems that can not protect against state-sponsored attackers as systems such as Windows have never been able to achieve even protection against moderately skilled attackers, which is a fair assessment. Under that standard, which iOS and all other Apple products are already certified to, Apple has never once been able to achieve protection against moderately skilled attackers let alone highly skilled attackers. In fact, that very same standard declares from empirical evidence gathered over decades that it is infeasible to retrofit a system that can not protect against moderately skilled attackers to ever become able to protect against moderately skilled attackers or above.
For reference, one way of demonstrating protection against highly skilled attackers according to the Common Criteria is to subject the systems to a penetration test by the NSA with full access to source code with successful penetration constituting a failure. That is a reference point for what protecting against a state-sponsored actor looks like according to the standard.
Security is not black-and-white, it's shades of gray. This feature aims to make exploitation harder. Formal proofs and certifications are nice but what I just said remains true even in the face of such things. iOS is regularly tested in the real world against highly resourceful attackers, and the results there are far more indicative of how well its security fares than anything else could be.
> it should be assumed insecure against state sponsored actors until proven otherwise with overwhelming evidence
Everything is always insecure. Like in toxicology, it's a matter of degree.
If you're really facing state-sponsored actors, you shouldn't be using an iPhone. You probably shouldn't be using a mobile phone. But that isn't a tradeoff most people are willing to make.
Lockdown Mode existing is unequivocally better than it not. Those who would have air gapped aren't going to be tricked into using Lockdown Mode instead. Instead, those who would have reluctantly used their iPhones in normal mode and e.g. turned off location tracking will now be better protected.
Yes, and like in toxicology it matters very little if instead of injecting a spoonful of botulism you instead inject a spoonful of less dangerous anthrax. Matters of degree still care about orders of magnitude and bright lines defining fitness for purpose.
Lockdown Mode is being advertised as protecting against state-sponsored actors: “Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group”. They are attempting to convince people who would otherwise air gap to avoid being killed that their systems are perfectly adequate. Their systems are on the order of 100x worse than what it necessary to protect against state-sponsored actors. It is not acceptable to attempt to conflate the two just because everything is a shade of gray; one is off-white and the other is off-black, they are not even remotely similar.
Apple’s advertising of Lockdown Mode is unequivocally worse for the stated use case than not having it at all since then at the very least people at risk would not be mislead into thinking Apple can protect them. If they want to change their advertising to clearly indicate that it should not be used if you are at risk of state-sponsored attacks and that there is no independent verification for any of their claims, then I would agree with you, but they are not doing that. Until they do, they should be censured for making such irresponsible and reckless claims that mislead at-risk individuals from taking proper precautions.
For that matter, it is not like they could not provide such evidence even though it came out today. It has presumably been in development for some time, so if they did actually provide verifiable protection against state sponsored attackers they could just release their formal proofs of security to that effect and be done with it or at least preliminary certification evidence demonstrating protection against high attack potential attackers as outlined in the international Common Criteria standard via AVA_VAN.5.
iOS is already certified according to Common Criteria as their only advertised security certification, just at the lowest possible level, and it already has a certification for high attack potential attackers, so doing this would be consistent with their existing certification regime and provide clear evidence supporting their claims.
Absent that, I see no independent verifiable evidence of any of their claims, endless precedent to dispute their claims, and not even a token effort to provide even a sliver of objective backing for their claims.
So why should I or anybody else reject the standard wisdom of “you are screwed if state sponsored attackers are interested in you and there is no product that can help you” and instead believe Apple’s marketing that they can?