Google Project Zero Find Another iOS Vulnerability Which Apple Secretly Patched in iOS 14.x
- By Dawna M. Roberts
- Published: Mar 01, 2021
- Last Updated: Mar 18, 2022
As reported by The Hacker News, last Thursday, Google’s Project Zero discovered a new security feature that Apple put into place with its latest update to iOS 14 to patch a vulnerability in the messaging app.
What Happened?
Recently Google Project Zero researcher Samuel Groß found this vulnerability while studying “zero-day vulnerabilities in hardware and software systems.” He nicknamed this one “BlastDoor.”
The Hacker News quoted Groß with “One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed ‘BlastDoor’ service which is now responsible for almost all parsing of untrusted data in iMessages,” Groß said. “Furthermore, this service is written in Swift, a (mostly) memory-safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the codebase.”
The issue is related to the exploit used to spy on Al Jazeera journalists last year. It affected iOS version 13.5.1.
Exploit researchers have confirmed that this exploit no longer exists in iOS 14 and above.
How Does the Exploit Work?
The Hacker News explains how the issue worked, “BlastDoor forms the core of those new security protections, per Groß, who analyzed the implemented changes over the course of a week-long reverse engineering project using an M1 Mac Mini running macOS 11.1 and an iPhone XS running iOS 14.3.
When an incoming iMessage arrives, the message passes through a number of services, chief among them being the Apple Push Notification Service daemon (apsd) and a background process called imagent, which is not only responsible for decoding the message contents but also for downloading attachments (through a separate service called IMTransferAgent) and handling links to websites, before alerting the SpringBoard to display the notification.”
Essentially how it is supposed to work is that all inbound messages are typically inspected for anything malicious before they are let in the door. The exploit in iOS 13.5.1 allowed hackers to bypass this inspection and attach malicious files to a text message hoping that a victim would click a link.
Groß explains this as “The sandbox profile is quite tight,” Groß noted. “Only a handful of local IPC services can be reached, almost all file system interaction is blocked, any interaction with IOKit drivers is forbidden, [and] outbound network access is denied.”
The Additional Protection
Along with closing this vulnerability, Apple has included further security features such as one dubbed “launchd” that limits the number of tries an attacker has during a brute-force attack looking to exploit any flaws in the hardware or software.
The Hacker News quoted praise for Apple’s handling of this situation, “With this change, an exploit that relied on repeatedly crashing the attacked service would now likely require in the order of multiple hours to roughly half a day to complete instead of a few minutes,” Groß said.
“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole.”
The Bottom Line
With any operating system, there are bound to be flaws, periodic vulnerabilities, and exploits used by hackers. The best protection for any iPhone or Android device user is to keep their device updated at all times with the latest security patches and operating system.
Additionally, a few other tips would be:
- Never click on links in text messages or email.
- Only download apps and software from trusted sources.
- Keep good, strong antivirus software running on your device at all times.
- Run deep scans often.
- Keep yourself updated on what the latest exploits are so you can protect yourself.
