Option to block Messages attachments

I think Apple would say that there is an option for that: Lockdown Mode.

For many years I have had Mail set to not automatically download images - it gives me a button to load images, if I think it is safe.
One concern I had was that automatically loading remote images told the sender that they had a valid email address - great for spammers!
So, yes, the same option with messages (wherre spam is increasing) would be useful
Lockdown mode is a bit extreme :face_with_raised_eyebrow:

This seemingly tiny feature is the tip of a massive security iceburg. Bear with me as we quickly go from the top down… and apologies for where this goes.

My side-comment from another thread (re-posted by Adam at the top) was directed at a long-standing, persistent and dangerous issue with iOS, macOS and other modern software: Auto-(down)loading content in the background and/or when an app is not even active or needed with no reasonable option to disable the security risk. (ie. iMessage automatically pre-loading any incoming link, image, video, etc.)

How many high, critical or zero-day vulnerabilities have we suffered with iOS/macOS in recent years that stem from this easily resolved issue? How is this still a problem for Apple devices?

As Michael P. noted, we have had a switch to prevent auto-loading of images in email software since before the turn of the century, and then some. Apple Mail has a toggle to enable/disable auto-loading of remote images. It is a simple matter to click the load images button in an email when needed.

While I am sure many of us can come up with inventive, logical sounding arguments in favor of this instant gratification software design, there is a painful reality: It is a recurring, single point of failure.

Here is a quick thought experiment…

What if all of our front doors used a digital lock that would recognize authorized people instantly on approach and open/close automatically? Assume these locks worked brilliantly and saved us from having to put down carried items or dig out our keys. The locks afforded us great convenience and joy.

However, these door locks also had a small, random chance of self-unlocking and opening the door while we were not home.

How many of us would continue using these door locks?

How about if your pets were home while you were away?

How about if your children were home while you were away?

What price is worth having the incredible convenience vs. having to use a key?

If this scenario seems too far removed from the concept of smartphone security practices, I invite you to take a little more time to consider things. Auto-loading ANY incoming content from ANY sender is the default behavior of iMessage, Mail and other apps. There have already been numerous vulnerabilities discovered in just the last few years that can hijack a device simply because someone sent a text message with an image that exploited a previously unknown flaw. More will be discovered. More will be created unintentionally.

Even if someone decides they WANT their device to auto-load media, why is it necessary to pre-load this content before the app is even running or the email/message has been opened?

What is the cost for a few milliseconds?

As for Lockdown Mode, I have a three points as to why this is not an ideal answer:

  1. It is an overly complicated solution to the basic issue at hand.
  2. It is only available on the latest iOS. Many currently active devices cannot run the latest iOS and therefore cannot use this feature.
  3. Apple employs a great deal of confusion and fear to discourage its use.

It pains me to say this, but for a company that has repeatedly proclaimed how highly it values customers’ security and safety, one would have expected parts of “Lockdown Mode” to be available years ago… instead of appearing many years after their security breaches jeopardized careers, families, lives and (inter)national security … and when the company was under pressure.

If we focus on “extreme” security threats that allegedly only target a very small number of mobile device users, there is an interesting timeline of events regarding NSO’s Pegasus spyware:

2012 - NSO’s Pegasus spyware for iOS in use (and may have started before 2012).
2016 August - Pegasus spyware is discovered and reported.
2021 July - Amnesty International releases MVT command line tool for Pegasus spyware detection.
2021 August - iMazing 2.14 released (macOS & Win) with a free Pegasus detection feature.
2022 August - Apple releases Lockdown Mode for iOS 16 & macOS 13, only for iPhone 8 and newer (2017+).
2023 - Pegasus continues to take over and monitor iPhones running nearly all versions of iOS including 16 (theoretically those not using Lockdown Mode).
2023 September - Apple adds more features to Lockdown Mode in iOS 17 only for iPhone XR/XS and newer (2018+). Apple releases Lockdown Mode for the Apple Watch.

I will end with a Guardian article from just over 2 years ago…

2 Likes

Is there actual evidence that this is really exploited these days? I ask merely because sending spam is so cheap, so I have to wonder, does any real spammer care about putting effort into verifying good vs. bad addresses via a scheme like this vs. just spray and pray?

These so-called web beacons or tracking pixels are used everywhere. Most mail that comes from a corporation or a mailing list uses them.

This is used by legitimate mailing lists so the operators can determine how many users actually read the mail (possibly broken down by region, age group and whatever other metadata that may be available). Mailing lists often modify the URLs for links in order to track which are clicked on, what mail message provided the link, and maybe also which recipient actually clicked on it.

@ace: I assume Discourse provides that capability, although you may not have turned it on.

It’s also used by legitimate advertisers, again, to determine the demographics of who is reading the mail and who is clicking on the links. Target (for example) definitely wants to know which of their recipients actually read the mail and which click on the links. Even if they don’t want to prune their mailing lists based on the data, their marketing people need it to estimate the effectiveness of an ad campaign.

As for the spammers, they routinely resell their address lists to each other. They use the tracking data to build lists of addresses that are “confirmed” to have actual readers, because those addresses command a higher price.

2 Likes

Yes, that’s absolutely true. Sendy, which is what we use for delivering TidBITS itself, had this turned by default, but several years ago, we turned off all the open and link tracking because it didn’t tell us anything that would make a difference in our behavior.

Actually, it looks like Discourse doesn’t do anything along these lines from the chatter in these threads:

2 Likes

There’s stuff like MailTrackerBlocker to prevent ‘regular’ tracking through email.

My question was if there’s actual evidence that real spammers go through the trouble of embedding special image URLs to validate if a human actually opened the message or not. I’m aware there’s a plausible case to be made, but I was curious if there’s any actual data.

I’d be surprised if true spammers would care. Marketers do this so they can track the efficacy of different campaigns, but true spammers aren’t trying to make their spam more deceptive—it’s a volume play.

For giggles, I downloaded the 650 spam messages currently in my Gmail Spam folder and did a search on “img src”. That finds all images, obviously, but the only reason to use a tracking pixel is if you don’t have other images already in the message. BBEdit reported 1817 images, or not quite 3 per message on average.

I also found 426 instances of “tracking” which suggests to me that a lot of what we all consider “spam” is sent by companies legitimate enough to think of it as “marketing.”

2 Likes

The only difference between “spam” and “advertising” is whether or not the recipient asked for it.

Yes and no. Obviously, yes, spam is anything you didn’t sign up for, but I do feel that there’s a distinction between essentially criminal spam that’s trying to steal personal information and spam that’s a real company trying to sell me something I don’t want. Neither is good, but the intent and strategies differ significantly.

1 Like