Google Project Zero on Thursday unveiled details of a new security mechanism that Apple has quietly added to iOS 14 as a countermeasure to prevent attacks recently used in their messaging app to exploit zero-days.
Baptised “BlastDoor, “the enhanced sandbox system for iMessage data was unveiled by Samuel Groß, a security researcher at Project Zero, a team of security researchers at Google tasked with studying zero-day vulnerabilities in hardware and software systems.
“One of the biggest changes in iOS 14 is the launch of a new ‘BlastDoor’ service with a sandbox that is now responsible for almost all the analysis of unreliable data in iMessages,” Groß said. “Furthermore, this service is written in Swift, a (mostly) memory-safe language that makes it significantly more difficult to code classic memory corruption vulnerabilities into the code base.”
The development is a result of a zero-click exploit that used an Apple iMessage bug in iOS 13.5.1 to circumvent security protections as part of a cyber espionage campaign launched on Al Jazeera last year journalists are targeted.
‘We do not believe it [the exploit] works against iOS 14 and newer, which includes new security protections, “said Citizen Lab researchers who unveiled the attack last month.
BlastDoor forms the core of the new security protection, according to Groß, who analyzed the implemented changes over the course of a week-long reverse engineering project using an M1 Mac Mini running macOS 11.1 and an iPhone XS running iOS 14.3.
When an incoming iMessage arrives, the message goes through a number of services, including the Apple Push Notification Service (apsd) and a background process called imagent, which is not only responsible for decoding the message content but also for downloading attachments (through a separate service called IMTransferAgent) and handling links to websites before warning the SpringBoard to display the notification.
What BlastDoor does is inspect all such incoming messages in a secure, sandbox environment, which prevents any malicious code in a message from interacting with the rest of the operating system or accessing user data.
In other words, by moving a majority of the processing tasks – that is, decoding the message property list and creating link previews – from the image to this new BlastDoor component, a specially crafted message can be sent to a target , no longer communicates with the file system or performs network operations.
“The sandbox profile is quite stiff,” Groß notes. “Only a handful of local IPC services can be accessed, almost all file system interactions are blocked, any interaction with IOKit drivers is prohibited, [and] access to outgoing networks is denied. “
What’s more, in an effort to delay the subsequent restart of a crash service, Apple has also introduced a new throttle feature in the iOS “launchd” process to limit the number of attempts an attacker receives when they ‘ wants to exploit an error by increasing the time exponentially. between two consecutive brute force attempts.
“With this change, an exploit that relied on repeatedly crashing the attacked service would probably be needed in the order of several hours to about half a day instead of a few minutes,” Groß said.
“Overall, these changes are probably very close to the best that could have been done, as the need for backward compatibility is, and this would have a significant impact on the security of iMessage and the platform as a whole.”