Apple’s iOS operating system system is usually considered secure, and it is definitely enough for most users. But over the past few years, hackers have successfully found a number of bugs that provide access points to iPhones and iPads. Many of these are so-called ‘zero-click’ or ‘non-interacting’ attacks that can infect a device without the victim lying as much as a link or a file containing malware. These armed vulnerabilities appear time and time again in Apple’s chat program, iMessage. But now it seems Apple has had enough. New research shows that the company has taken the defense of iMessage to a whole other level with the release of iOS 14 in September.
In late December, for example, researchers from the Citizen Lab of the University of Toronto published findings about a summer burglary campaign in which attackers successfully targeted dozens of Al Jazeera journalists with a zero-click iMessages attack around the infamous Pegasus install spyware from NSO Group. . Citizen Lab said at the time that it did not believe iOS 14 was vulnerable to the intrusion used in the campaign; all the victims used iOS 13, which was applicable at the time.
Samuel Groß has long been investigating a zero-click iPhone attack with a number of his colleagues at Google’s Project Zero bug-hunting team. This week, he outlined three improvements that Apple added to iMessage to harden the system and make it much harder for attackers to send malicious messages designed to wreak strategic havoc.
“These changes are probably very close to the best that could have been done, as there is backward compatibility, and this would have a significant impact on the security of iMessage and the platform as a whole,” Groß wrote on Thursday. “It’s great to see Apple set aside the resources for these kinds of big factors to improve the security of end users.”
In response to Citizen Lab’s research, Apple said in December that “iOS 14 is a major leap in security and has provided new protection against such attacks.”
iMessage is an obvious target for non-click attacks for two reasons. First, it is a communication system, which means that the function is to exchange data with other devices. iMessage is literally built for non-interactive activities; you do not have to type anything to receive a text or photo of a contact. And iMessage’s full range of features – integrations with other apps, payment functionality, even little things like stickers and memos – also make it fertile ground for hackers. All the interconnections and options are convenient for users, but add an ‘attack surface’ or a possibility for vulnerability.
“IMessage is a built-in service on every iPhone, so it’s a big target for sophisticated hackers,” says Johns Hopkins cryptographer Matthew Green. ‘It also has a lot of bells and whistles, and each of these features is a new opportunity for hackers to find bugs that enable them to control your phone. What this research shows, then, is that Apple knows this and has quietly hardened the system. ‘
Groß outlines three new protections that Apple has developed to address its iMessage security issues at a structural level, rather than through patch-patches. The first enhancement, called BlastDoor, is a ‘sandbox’, essentially a quarantine zone where iMessage can investigate incoming communications for possible malicious features before releasing them into the main iOS environment.
The second new mechanism monitors for attacks that manipulate a shared cache of system libraries. The cache randomly changes addresses within the system to make it more difficult to gain malicious access. However, iOS only changes the address of the shared cache after a reload, which gave the attackers zero opportunity to discover the location; it’s like taking shots in the dark until you hit something. The new protection is set to detect malicious activity and activate a refresh without the user having to restart their iPhone.