Apple’s latest iOS and macOS platform refresh came with a lot more than urgent security patches.
The company activated a new feature called iMessage Contact Key Verification in another attempt to block impersonators and sophisticated threat actors abusing its iMessage server infrastructure.
With the activation, fully patched iPhones and macOS-powered devices adds an ON/OFF toggle for users to verify they’re messaging only with the people that they intend and receive alerts if there’s a hiccup in the verification process.
Apple first announced the feature in October and is positioning it as another roadblock to raise the cost for advanced threat actors and mercenary hacking companies that target its iMessage service. In the past, surveillance spyware vendors like NSO Group have been caught using iMessage zero-days and zero-click exploits against high-profile targets around the world.
Apple previously rolled out ‘Lockdown Mode’ to remove attack surfaces and block state-sponsored malware exploits on its platform for the company continues to struggle to contain a surge in in-the-wild zero-days.
The company has published guidance on turning on the new feature to help users to automatically they’re messaging with the intended person. Devices must be running iOS 17.2, macOS 14.2 or watchOS 9.2 on all devices signed in to iMessage.
“In iMessage conversations with people who have also turned on iMessage Contact Key Verification, you receive an alert if there’s an error in this verification process. These alerts help make sure that even a very sophisticated attacker can’t impersonate anyone in the conversation,” Cupertino explained.
In addition, iPhone and macOS users can manually verify contacts by comparing verification codes. “When you manually verify a contact, iMessage Contact Key Verification verifies that the code you have saved matches the one provided by the iMessage servers for that contact and notifies you if the verification code changes,” the company explained.
The new feature comes alongside patches for multiple serious vulnerabilities that expose iOS and macOS users to malicious hacker attacks.
The newest iOS 17.2 and iPadOS 17.2 contains fixes for at least 11 documented security defects, some serious enough to lead to arbitrary code execution or app sandbox escapes.
According to an advisory from Cupertino’s security response team, the most serious issue is a memory corruption in ImageIO that may lead to arbitrary code execution when certain images are processed.
The iOS 17.2 rollout also addresses a code execution flaw in the WebKit rendering engine and a memory safety issue that allows apps to break out of the device sandbox.
Separately, Apple rolled out iOS 16.7.3 and iPadOS 16.7.3 to provide a batch of security fixes to devices running older versions of the operating system. Those updates also include fixes for previously documented WebKit zero-days caught via in-the-wild exploitation.