According to Motherboard, Apple has created a way to protect iOS from zero-click exploits. These vulnerabilities allow a hacker to take control of an iPhone without any interaction from the victim. The change developed by Apple was silently added to iOS 14.5 beta, giving iPhone users another reason to wait for the final version of the update. Some of the features that will come in the next version of iOS include one that allows an iPhone user with a face mask to have their phone unlocked automatically if they are using an unlocked Apple Watch. The update adds a new emoji and the App Tracking Transparency feature that prevents the user from being tracked by a third-party app, unless he decides to choose to be tracked.
Apple makes zero-click exploits more difficult for hackers to employ in the next iOS 14.5 update to be released this spring
According to a source who develops exploits for government customers, the changes made by Apple “… will definitely make 0 clicks more difficult. The sandbox also escapes. Significantly more difficult.” With zero-click attacks occurring without any necessary action by the phone owner, these attacks are often more difficult to detect by the target and more sophisticated. An iOS feature called ISA pointers tells the operating system which code to use. According to Apple’s Platform Security Guide, Apple now uses encryption to validate these indicators through the use of Pointer Authentication Codes (or PACs). This is a new form of protection for Apple and prevents hackers from using malicious code in an attack. A member of the security company Zimperium, Adam Donenfeld, noticed the change earlier this month, when he reversed the engineering of iOS 14.5 beta.
Zero-click exploits will be more difficult to perform on iOS 14.5
Not only did Apple tell Motherboard that this change will help protect the iPhone from zero-click attacks, Donenfeld said in an online chat that “Nowadays, as the pointer is signed, it is more difficult to corrupt these pointers to manipulate objects in the These objects were used mainly in sandbox escapes and 0clicks. “And now the bad actors are the ones who are upset. An iOS security researcher, who requested anonymity because he is not authorized to speak to the media, said that many hackers are upset “because some techniques are irretrievably lost”.
Just last December, an AirDrop exploit without a click was discovered. AirDrop is a feature that allows iOS users to send and receive files from other nearby iOS devices. Discovered by Google’s Project Zero, the vulnerability was fixed by Apple on iOS 13.5. It only required the attacker to be within Wi-Fi distance of the target device. It took hackers six months to take advantage of this vulnerability, although hackers with better technology may have gone through it more easily. Furthermore, no solid evidence has ever been found that hackers have in fact taken advantage of the AirDrop vulnerability. Zero-click exploits are scary because not only do they not have the user of the target device doing something to detonate the hack, most of the time the victim has no idea that his phone was chosen until he started doing something weird.
Donenfeld of Zimperium points out that hackers will be looking for new techniques to replace those that have been lost. In addition, he says that while zero-clicks are now more difficult to perform, they are not impossible to use for attacks. “This mitigation in reality probably only increases the cost of 0clicks, but a determined attacker with lots of resources would still be able to do that,” noted Jamie Bishop, who is one of the developers of the popular jailbreak Checkra1n. Still, by making a zero-click attack more difficult to perform, iPhone users need to install iOS 14.5 as soon as the final public version is available this semester.
