A Google security researcher has unearthed several anti-exploit mitigations in iOS 14 (opens in new tab), added specifically by Apple in response to zero-click attacks carried out via iMessage.
The vulnerability in the iPhone's instant messaging app was reported in December last year and was used to launch attacks (opens in new tab) against various employees of the Al Jazeera news network.
The new mitigations were discovered by Google’s Project Zero researcher Samuel Groß (opens in new tab), during his attempts to learn how Apple has reinforced its mobile operating system (OS) in light of the vulnerabilities.
- These are the best business smartphones (opens in new tab)
- Check our list of the best identity theft protection services (opens in new tab)
- Here's our list of the best malware removal software (opens in new tab)
Sanitizing iMessage
Groß conducted reverse engineering experiments on the mobile OS and discovered that Apple had made “significant” changes to iMessage in a bid to impede the zero-click attacks. Surprisingly, the makers of the iPhone did not document the changes.
“One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed service named BlastDoor, which is now responsible for almost all parsing of untrusted data in iMessages,” writes Groß in his report.
Groß notes that zero-click exploits usually exploit multiple vulnerabilities to create exploit chains. In most observed attacks the number of vulnerabilities in the exploit chains numbered four. The changes in iOS 14 that Groß discovered made all four parts of an attack much harder to succeed.
"Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole," observed Groß in his detailed analysis of the changes.
- These are the best antivirus software (opens in new tab) for your devices
Via: ZDNet (opens in new tab)