In an attempt to protect its most vulnerable users, Apple has announced an upcoming feature designed to thwart hacking attempts from government malware. Apple’s announcement specifically called malware created by the Israeli spyware firm NSO Group, which was recently caught spying on dozens of journalists, government officials, and dissidents..

The new feature is called “Lockdown Mode” and Apple described it as “extreme” and “groundbreaking” security capability in its press release published on Wednesday.

“Lockdown Mode—the first major capability of its kind, coming this fall with iOS 16, iPadOS 16, and macOS Ventura—is an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security,” Apple wrote in the announcement. 

In practice, Lockdown Mode turns off several features that can be exploited by hackers who use government spyware made by companies such as NSO Group or Candiru. The features that will be turned off if a user decides to use Lockdown Mode are: accepting attachments sent via iMessage other than images, some web technologies like a type of Javascript compilation, incoming FaceTime calls from unknown callers, wired connections to a computer when the phone is locked, and the ability to install mobile device management (MDM) configurations, which have been used by government spyware makers to install malware on users’ phones. 

A screenshot of the upcoming Lockdown Mode for iPhones.

An Apple spokesperson told Motherboard that some of the features in Lockdown Mode could not previously be manually turned on by a user.

Apple also announced a new category in its bug bounty program. If researchers find bypasses to Lockdown Mode, they could be eligible for a reward of up to $2 million. The company is also offering a grant of $10 million to “to support organizations that investigate, expose, and prevent highly targeted cyberattacks, including those created by private companies developing state-sponsored mercenary spyware.”

Cybersecurity experts with experience investigating cases where governments have used spyware made by companies such as NSO Group or the now-defunct Hacking Team praised Apple’s new feature. 

A screenshot that shows Lockdown Mode running on an iPhone with iOS 16 beta.

“We have story after story and report after report which shows that NSO Group has compromised tens of thousands of iPhones. This makes up a very small percentage of their users, but they are also some of their most vulnerable and/or their most influential,” Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation,director of cybersecurity at activist organization the Electronic Frontier Foundation,, told Motherboard in an online chat. “I am guessing that people will ask why this level of protection will not be made standard for every iPhone user and the answer to that is that this protection comes at the expense of usability. For most people, this is simply not a worthwhile tradeoff. If you think you're likely to be targeted by Pegasus, the calculus is suddenly very different, and the tradeoff may be worthwhile.”

Do you have information about government malware vendors? Or cases of spyware abuse? We’d love to hear from you. From a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

John Scott-Railton, a senior researcher at Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School, said that this is something people had been asking for a long time to protect high-risk users. 

“It’s a radical reduction in the threat surface for whole categories of attacks. It’s a pretty promising step forward,” Scott-Railton said in a phone call. “The things that Apple is pairing off are some of the places we know exploit devs and mercenary spyware companies were using to get malware onto devices and do zero-day attacks.”

Joseph Cox contributed reporting.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.

On June 14 of last year, the daughter of Paul Rusesabagina, a former hotel manager credited with saving hundreds of lives during the genocide in Rwanda who is now in prison in the country, met with the Belgian foreign affairs minister to discuss her father’s situation. On the same day, her phone was hacked using tools made by spyware vendor NSO Group, according to forensic analysis of her phone.

On Wednesday, the daughter, whose name is Carine Kanimba, testified in front of Congress in a hearing on the threat of the proliferation of commercial spyware made by companies like NSO Group. In front of the House Permanent Select Committee on Intelligence committee, Kanimba shared her experience as the victim of sophisticated government spyware.

“I was mortified, and I am terrified,” Kanimba said. 

Kanimba said she believes NSO Group’s spyware was used by the Rwandan government to keep an eye on her and her family’s efforts to secure the release of her father, who in 2020 was abducted in Dubai and later convicted in Rwanda on terrorism charges. Kanimba explained the psychological pain she’s suffered because of the surveillance. 

“I am frightened by what the Rwandan government will do to me and my family next,” she said. “It keeps me awake that they knew everything I was doing, where I was, who I was speaking with, my private thoughts, and actions at any moment they wanted.”

Even now that her case is public, Kanimba said the Rwandan government could still “reinfect” her phone.

“So I still do not feel safe,” she said. “On a personal level, I am a 29-year-old woman and I use my phone quite often, not only in the efforts to secure my father's release, but in my social, my private conversations with my friends. And the fact that the same government that tortured my father, that is holding him hostage, and that has been trying to silence him from all these years, now also has access to my private messages and my conversations and my location—it is very, very scary.”

Do you have information similar cases of government spyware abuse? We’d love to hear from you. From a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

Kanimba is one of dozens of victims who were hacked with NSO Group’s spyware and have been identified as part of the Pegasus Project, an investigative effort conducted by Amnesty International and a group of media partners including the Guardian and The Washington Post.

Activist groups such as Amnesty International and Citizen Lab have for years been detailing cases where governments around the world have allegedly used spyware made by companies like NSO Group or the now-defunct Hacking Team to target human rights defenders and journalists. 

In the last year, the US government has taken steps to address these abuses. 

In November of last year, the Commerce Department put NSO Group and Candiru, another Israeli spyware maker, on a list that bars American companies or individuals from selling or providing services to them. Then in February of this year, the Department of Justice indicted a Mexican citizen who used to work as a reseller of Hacking Team’s spyware in the country. The citizen, Carlos Guerrero, pleaded guilty to selling the hacking tools to government clients knowing that they “could and likely would” use it for “political purposes, not just for law enforcement purposes.” 

According to experts, as well as a source with knowledge of that investigation, this case may be the beginning of a larger effort by the U.S. government to curb the use of commercial spyware by foreign countries. 

“Thank you for letting me share my story and the story of my father Paul Rusesabagina,” Kanimba said at the end of her introductory statement during the hearing. “I hope that you find it useful in considering how to regulate the type of tools used to target my family, and my father.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.

A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Spotify and many others, which are used by tens of millions of people all over the world.

At the Black Hat cybersecurity conference in Las Vegas on Thursday, the researchers presented their findings, detailing how they could have hacked people who use Discord, Microsoft Teams, and the chat app Element by exploiting the software underlying all of them: Electron, which is a framework built on the open source Chromium and the cross-platform javascript environment Node JS. 

In all these cases, the researchers submitted vulnerabilities to Electron to get them fixed, which earned them more than $10,000 in rewards. The bugs were fixed before the researchers published their research. 

Aaditya Purani, one of the researchers who found these vulnerabilities, said that “regular users should know that the Electron apps are not the same as their day-to-day browsers,” meaning they are potentially more vulnerable. 

In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers, Purani explained in the talk. 

In an interview with Motherboard after the talk, he admitted that he doesn’t run Electron apps, instead opting for using apps like Discord or Spotify inside his browser, which is more hardened against hackers. 

“If you are more paranoid, I recommend using the website itself because then you have the protection which Chromium has, which is much larger than the Electron,” Purani said. 

Still, Purani said that it’s a good thing to have Electron underlie so many apps because “if you have just one framework, which is running all the apps, then you can just focus on hardening that same framework.” 

For him, one of the main takeaways of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams. 

“Don't click on shady links,” Purani said. 

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.

On Tuesday, the Department of Justice announced that a Mexican businessman had pleaded guilty to conspiring to sell surveillance and hacking tools made by Hacking Team, a notorious spyware vendor that is now defunct. 

The case, according to experts, shows that the U.S. government is willing to go after individuals who acted as middlemen between well-known international spyware vendors and foreign countries like Mexico, signaling a potential escalation in the U.S. government’s crackdown on spyware vendors. 

In its press release, U.S. authorities made it clear that this case wasn’t just about Guerrero.

“Today’s guilty plea helps stem the proliferation of digital tools used for repression and advances the digital security of both U.S. and Mexican citizens,” U.S. Attorney Randy Grossman is quoted as saying. 

“I bet a few spyware distributors will have a terrible sleep tonight, and think twice before flying to the U.S. any time soon.”

In the plea agreement, Carlos Guerrero, who was the head of a company that distributed surveillance technology called Elite by Carga, admitted that he sold Hacking Team spyware knowing that the Mexican authorities who were purchasing it “could and likely would” use it for “political purposes, not just for law enforcement purposes.” 

The agreement cites a few cases in particular. In one, Guerrero and his employee Daniel Moreno helped the mayor of a town in the state of Morelos to hack a political rival and access their Twitter, Hotmail, and iCloud accounts. In another case in December 2015, Guerrero and one of his employees used “an interception device” to wiretap the phone calls of “a business competitor.” And in another instance in February 2017, “one or more Elite by Carga employees agreed to hack the phone and email account of a Florida- based sales representative of a large Mexican business in exchange for an approximately $25,000 payment from the Mexican business.”

A screenshot of the plea agreement between Carlos Guerrero and the US government.

The plea agreement doesn’t include more details about the two cases. 

Guerrero’s lawyer did not immediately respond to a request for comment and a spokesperson for the U.S. Attorney’s Office of the Southern District of California, which prosecuted the case, declined to comment, saying “that’s all the information that is publicly available at this time.”

But a person with knowledge of the case, who asked to remain anonymous as they were not authorized to speak to the press, told Motherboard that the investigation is still ongoing and there will be more developments in the next few months. 

John Scott-Railton, a senior researcher at the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like Hacking Team and Israeli spyware vendor NSO Group for years, told Motherboard that he was pleased with the news, and that this case “sends another signal” that the U.S. government is very interested “in mercenary spyware abuses.”

“Clearly, they have a long memory,” he said in an online chat. “I bet a few spyware distributors will have a terrible sleep tonight, and think twice before flying to the U.S. any time soon.”

Do you have more information about this case? Or similar cases of spyware abuse? We’d love to hear from you. From a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]

The indictment of Guerrero, according to Scott-Railton and another researcher who has been investigating surveillance in Mexico, is yet another case that shows abuses in the country were rampant. 

“It also helps cement our understanding of Mexican spyware customers as serial abusers. Nobody should be selling them spyware right now,” Scott-Railton said. 

“The acquisition and use of surveillance tech by mexican authorities is out of control, full of corruption, abuse and impunity,” Luis Fernando García, the director of Red en Defensa de los Derechos Digitales (R3D), a Mexican digital rights organization, said in an online chat. “Although I can’t speculate on what the USG motives or strategy is, certainly any actions by the US justice system that hold vendors and abusers accountable are very welcomed.”

According to Mexican news outlet El Punto Norte, Guerrero and his government contacts were investigated in the country as well, but the inquiry was closed. 

Guerrero’s case comes months after the US government announced that it had added NSO to a list of companies that are restricted from purchasing products and services from US companies, effectively making it hard for them to procure crucial equipment and technology. More recently, a European watchdog suggested that European governments should halt the development and purchase of any technology like the spyware developed by NSO. 

Guerrero is out of jail awaiting the sentencing hearing, which is scheduled for May 13.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.