Apple has greatly changed its security systems in iOS 14 to secure iMessages from zero-click remote attacks. Having said that Apple hasn’t revealed much about what changes it actually did. Now, Google Project Zero security researcher Samuel Groß has written a blog post about how he was able to discover a new security system through a reverse engineering project using M1 Mac Mini running macOS 11.1 and an iPhone XS running iOS 14.3.
Samuel said that Apple has introduced a new tightly sandboxed “BlastDoor” service in iOS 14 which is written in Swift. This new system “is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads)” and Swift is relatively memory safe language “which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.”
For a zero-click exploit to work, attacker needs: memory corruption vulnerability, reachable without user interaction and ideally without triggering any user notifications, a way to break ASLR remotely, a way to turn the vulnerability into remote code execution and a way to break out of any sandbox, typically by exploiting a separate vulnerability in another operating system component, he explained.
Apple is said to have done “significant refactoring of iMessage processing” in iOS 14 making it harder for attackers.
Along with the new “BlastDoor” service, Apple has ensured by bypassing ASLR remotely almost impossible. In iOS 14, there’s “exponential throttling” to slow down brute force attacks.
“To limit an attacker’s ability to retry exploits or brute force ASLR, the BlastDoor and imagent services are now subject to a newly introduced exponential throttling mechanism enforced by launchd, causing the interval between restarts after a crash to double with every subsequent crash (up to an apparent maximum of 20 minutes),” he added.