Google Project Zero on Thursday revealed details of a new security mechanism that Apple quietly added to iOS 14 as a countermeasure to prevent attacks that were recently taken advantage of to take advantage of the zero days in its messaging app.
Called “BlastDoor, “the improved sandbox system for iMessage data was disclosed by Samuel Groß, a security researcher at Project Zero, a team of Google security researchers tasked with studying zero-day vulnerabilities in hardware and software.
“One of the most important changes to iOS 14 is the introduction of a new, tight-fitting‘ BlastDoor ’service, which is now responsible for almost all unreliable data analysis in iMessages,” Groß said. “Also, this service is written in Swift, a (mostly) memory-safe language that makes it much harder to introduce classic memory corruption vulnerabilities into the code base.”
The development is a result of a zero-click exploit that took advantage of a flaw in Apple iMessage in iOS 13.5.1 to avoid security protections as part of a cyberespionage campaign aimed at Al Jazeera journalists in past.
“We do not believe it [the exploit] it works against iOS 14 and later, which includes new security protections, “investigated Citizen Lab who revealed the attack last month.
BlastDoor is at the core of these new security protections, according to Groß, which analyzed the changes implemented over the course of a week-long reverse engineering project using a Mac Mini M1 with MacOS 11.1 and an iPhone XS with iOS 14.3 .
When an incoming iMessage arrives, the message goes through several services, including the Apple Push Notification Service (apsd) daemon and a background process called imaging, which is not only responsible for decoding the content of the message, but also for downloading it. attachments. (using a separate service called IMTransferAgent) and managing links to websites, before notifying SpringBoard to display the notification.
What BlastDoor does is inspect all of these incoming messages in a secure and secure environment, which prevents any malicious code in the message from interacting with the rest of the operating system or accessing user data.
In other words, moving most processing tasks (i.e., decoding the message property list and creating link previews), from an imaginary to this new BlastDoor component, a message specially designed sent to a target can no longer interact with the file system or perform network operations.
“The profile of the sand area is pretty tight,” Groß noted. “Only a handful of local IPC services can be reached, almost all file system interaction is blocked, any interaction with IOKit drivers is prohibited, [and] access to the output network is denied “.
In addition, in an attempt to delay subsequent reboots of a blocked service, Apple has also introduced a new strangulation feature in the iOS “launchd” process to limit the number of tests an attacker gets when trying to exploit a defect. increasing exponentially over time. between two successive attempts at brute force.
“With this change, an exploit that was based on repeatedly crashing the attacked service now would probably require the order of several hours to about half a day to complete rather than a few minutes,” Groß said.
“Overall, these changes are probably very close to the best that could have been made given the need for compatibility with previous versions, and should have a significant impact on the security of iMessage and the platform in general.”