Security Experts:

Apple Adds 'BlastDoor' to Secure iPhones From Zero-Click Attacks

Apple has quietly added several anti-exploit mitigations into its flagship mobile operating system in what appears to be a specific response to zero-click iMessage attacks observed in the wild.

The new mitigations were discovered by Samuel Groß, a Google Project Zero security researcher who specializes in remote iPhone exploitation and zero-click attacks against mobile messaging systems.

Apple did not document the changes but Groß said he fiddled around with the newest iOS 14 and found that Apple shipped a “significant refactoring of iMessage processing” that severely cripples the usual ways exploits are chained together for zero-click attacks.

Groß notes that memory corruption based zero-click exploits typically require exploitation of multiple vulnerabilities to create exploit chains.  In most observed attacks, these could include a memory corruption vulnerability, reachable without user interaction and ideally without triggering any user notifications; a way to break ASLR remotely; a way to turn the vulnerability into remote code execution;; and a way to break out of any sandbox, typically by exploiting a separate vulnerability in another operating system component (e.g. a userspace service or the kernel).

With iOS 14, Groß discovered that Apple shipped a significant refactoring of iMessage processing, and made all four parts of an attack much harder to succeed. 

The first big addition is a new, tightly sandboxed “BlastDoor” service that is now responsible for the parsing of untrusted data in iMessages.

Separately, Apple added logic into iOS 14 to specifically detect [shared cache region] attacks and new techniques to limit an attacker’s ability to retry exploits or brute force Address Space Layout Randomization (ASLR).

The mitigations, Groß said, made all four parts of a typical zero-click attack harder and he commended Apple for responding to the work of offense-focused hackers to respond to documented in-the-wild attacks.

“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” the Google researcher added.

Related: iOS Exploit Allows 'Unfettered Access' to iPhone User Data Over Wi-Fi

RelatedGoogle Researchers Detail Critical iMessage Vulnerability

Related: Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is a regular speaker at cybersecurity conferences around the world. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.