Skip to main content

Apple quietly added a whole new security system to iOS 14

social apps iPhone
(Image credit: dole777/Unshsplah)

A Google security researcher has unearthed several anti-exploit mitigations in iOS 14, added specifically by Apple in response to zero-click attacks carried out via iMessage.

The vulnerability in the iPhone's instant messaging app was reported in December last year and was used to launch attacks against various employees of the Al Jazeera news network.

The new mitigations were discovered by Google’s Project Zero researcher Samuel Groß, during his attempts to learn how Apple has reinforced its mobile operating system (OS) in light of the vulnerabilities.

Sanitizing iMessage

Groß conducted reverse engineering experiments on the mobile OS and discovered that Apple had made “significant” changes to iMessage in a bid to impede the zero-click attacks. Surprisingly, the makers of the iPhone did not document the changes. 

“One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed service named BlastDoor, which is now responsible for almost all parsing of untrusted data in iMessages,” writes Groß in his report.

Groß notes that zero-click exploits usually exploit multiple vulnerabilities to create exploit chains. In most observed attacks the number of vulnerabilities in the exploit chains numbered four. The changes in iOS 14 that Groß discovered made all four parts of an attack much harder to succeed.

"Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole," observed Groß in his detailed analysis of the changes.

Via: ZDNet