Apple operating iOS system is generally considered safe, certainly enough for most users most of the time. But in recent years, hackers have successfully found a series of flaws that provide entry points for iPhones and iPads. Many of them were called zero-click or no-interaction attacks, which can infect a device without the victim clicking on a link or downloading a file with malware. Over and over again, these weaponized vulnerabilities turned out to be in Apple’s chat app, iMessage. But now it looks like Apple is tired of it. New research shows that the company has taken iMessage’s defenses to another level with the release of iOS 14 in September.
In late December, for example, researchers at the University of Toronto Citizen Lab published findings about a summer hacking campaign in which attackers attacked dozens of Al Jazeera journalists with a zero-click iMessages attack to install the notorious Pegasus spyware of the NSO Group. Citizen Lab said at the time that it did not believe that iOS 14 was vulnerable to the hacking used in the campaign; all victims were running iOS 13, which was in effect at the time.
Samuel Groß has long investigated the zero-click attacks on the iPhone along with several of his colleagues on Google’s Project Zero bug-hunting team. In the week, he detailed three improvements that Apple added to iMessage to strengthen the system and make it much more difficult for attackers to send malicious messages designed to wreak strategic havoc.
“These changes are probably very close to the best that could have been done, given the need for backward compatibility, and should have a significant impact on the security of iMessage and the platform as a whole,” wrote Groß on Thursday. “It’s great to see Apple reserving resources for these types of major refactorings to improve the safety of end users.”
In response to the Citizen Lab survey, Apple said in December that “iOS 14 is a huge leap in security and offers new protections against these types of attacks”.
IMessage is an obvious target for zero-click attacks for two reasons. First, it is a communication system, which means that part of its function is to exchange data with other devices. IMessage is literally built for activities without interaction; you don’t have to touch anything to receive a text or photo from a contact. And iMessage’s full set of features – integrations with other apps, payment functionality and even little things like stickers and memoji – make it a breeding ground for hackers too. All of these interconnections and options are convenient for users, but add “attack surface” or potential for weakness.
“IMessage is an integrated service on every iPhone, so it’s a big target for sophisticated hackers,” says Johns Hopkins cryptographer Matthew Green. “It also has a lot of bells and whistles, and each of these features is a new opportunity for hackers to find bugs that allow them to take control of their phone. So what this research shows is that Apple knows this and has quietly strengthened the system. “
Groß describes three new protections that Apple has developed to address its iMessage security issues at a structural level, rather than Band-Aid patches. The first improvement, dubbed BlastDoor, is a “sandbox”, essentially a quarantine zone where iMessage can inspect incoming communications for potentially malicious attributes before releasing them in the main iOS environment.
The second new mechanism monitors attacks that manipulate a shared cache of system libraries. The cache randomly changes addresses within the system to maliciously hinder access. However, iOS only changes the address of the shared cache after a reboot, which gives zero-click attackers the opportunity to discover its location; it’s like taking pictures in the dark until you hit something. The new protection is configured to detect malicious activity and trigger an update without the user having to restart the iPhone.