Samuel Groß has long investigated zero-click iPhone attacks alongside a number of his colleagues at Google's Project Zero bug-hunting team . The week, he detailed three improvements that Apple added to iMessage to harden the system and make it much more difficult for attackers to send malicious messages crafted to wreak strategic havoc.“These changes are probably very close to the best that could’ve been done given the need for backward compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß wrote on Thursday. “It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.”
In response to Citizen Lab's research, Apple said in December that “iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks.”
iMessage is an obvious target for zero-click attacks for two reasons. First, it's a communication system, meaning part of its function is to exchange data with other devices. iMessage is literally built for interactionless activity; you don't need to tap anything to receive a text or photo from a contact. And iMessage's full suite of features—integrations with other apps, payment functionality, even small things like stickers and memoji—make it fertile ground for hackers as well. All those interconnections and options are convenient for users but add “attack surface,” or potential for weakness.
“iMessage is a built-in service on every iPhone, so it’s a huge target for sophisticated hackers,” says Johns Hopkins cryptographer Matthew Green. “It also has a ton of bells and whistles, and every single one of those features is a new opportunity for hackers to find bugs that let them take control of your phone. So what this research shows is that Apple knows this and has been quietly hardening the system.”Groß outlines three new protections Apple developed to deal with its iMessage security issues at a structural level, rather than through Band-Aid patches. The first improvement, dubbed BlastDoor, is a “sandbox,” essentially a quarantine zone where iMessage can inspect incoming communications for potentially malicious attributes before releasing them into the main iOS environment.
The second new mechanism monitors for attacks that manipulate a shared cache of system libraries. The cache changes addresses within the system at random to make it harder to access maliciously. iOS only changes the address of the shared cache after a reboot, though, which has given zero-click attackers an opportunity to discover its location; it's like taking shots in the dark until you hit something. The new protection is set up to detect malicious activity and trigger a refresh without the user having to restart their iPhone.