Google Project Zero on Thursday released details of a new security mechanism that Apple quietly added to iOS 14 as a countermeasure to prevent attacks that were recently discovered to take advantage of the zero day in its messaging app.
Dubbed “BlastDoor, “the iMessage enhanced data sandbox system was released by Samuel Groß, a security researcher at Project Zero, a team of Google security researchers tasked with studying zero-day vulnerabilities in hardware and software systems.
“One of the main changes in iOS 14 is the introduction of a new ‘BlastDoor’ service in a restricted area, which is now responsible for almost all analysis of unreliable data in iMessages,” said Groß. “In addition, this service is written in Swift, a secure memory language (mostly) that makes it significantly more difficult to introduce classic memory corruption vulnerabilities in the code base.”
The development is a consequence of a zero-click exploit that took advantage of an Apple iMessage flaw in iOS 13.5.1 to bypass security protections as part of a cyber espionage campaign targeting Al Jazeera journalists last year.
“We don’t believe that [the exploit] works against iOS 14 and above, which includes new security protections, “Citizen Lab researchers who revealed the attack last month.
BlastDoor forms the core of these new security protections, by Groß, who analyzed the changes implemented over a week-long reverse engineering project using an M1 Mac Mini running macOS 11.1 and an iPhone XS running iOS 14.3.
When an iMessage arrives, the message goes through several services, the main one being the Apple Push Notification Service daemon (apsd) and a background process called imagent, which is not only responsible for decoding the content of the message, but also for downloading it. attachments (via a separate service called IMTransferAgent) and handling links to websites, before alerting SpringBoard to display the notification.
What BlastDoor does is inspect all of these incoming messages in a secure environment in a restricted area, which prevents any malicious code within a message from interacting with the rest of the operating system or accessing user data.
In other words, when moving most processing tasks – that is, decoding the message properties list and creating link views – from the image to this new BlastDoor component, a specially crafted message sent to a destination can no longer interact with the file system or perform network operations.
“The sandbox profile is quite tight,” noted Groß. “Only a few local IPC services can be reached, almost all file system interactions are blocked, any interaction with IOKit drivers is prohibited, [and] access to the outgoing network was denied. “
In addition, in an attempt to delay subsequent restarts of a failed service, Apple has also introduced a new limiting feature in the iOS “startup” process to limit the number of attempts an attacker makes when attempting to exploit a failure, exponentially increasing the time between two successive attempts at brute force.
“With this change, an exploration that relied on repeatedly halting the attacked service would now probably require an order of several hours to about half a day to complete instead of a few minutes,” said Groß.
“Overall, these changes are probably very close to the best that could have been done, given the need for backward compatibility, and are expected to have a significant impact on the security of iMessage and the platform as a whole.”