Apple is going to make one of the most powerful types of attacks on iPhones much harder to pull off in an upcoming update of iOS.
The company quietly made a new change in the way it secures the code running in its mobile operating system. The change is in the beta version of the next iOS version, 14.5, meaning it is currently slated to be added to the final release. Several security researchers who specialize in finding vulnerabilities in and crafting exploits for iOS believe this new mitigation will make it much harder for hackers to take control of an iPhone with a technique known as a zero-click (or 0-click) exploit, which allows a hacker to take over an iPhone with no interaction from the target. Apple also told Motherboard it believes the changes will impact 0-click attacks.
"It will definitely make 0-clicks harder. Sandbox escapes too. Significantly harder," a source who develops exploits for government customers told Motherboard, referring to "sandboxes" which isolate applications from each other in an attempt to stop code from one program interacting with the wider operating system. Motherboard granted multiple exploit developers anonymity to speak more candidly about sensitive industry issues.
Like the name suggests, zero-click attacks allow hackers to break into a target without needing the victim to interact with anything, such as a malicious phishing link. This means that the attack is generally harder for the targeted user to detect. These are generally very sophisticated attacks.
These attacks may now become much rarer, according to several security researchers who look for vulnerabilities in iOS.
The change centers around something called ISA pointers. Since 2018, Apple has implemented a technology called Pointer Authentication Codes (or PAC) to protect iPhone users from exploits which inject malicious code by preventing attackers from leveraging corrupted memory, according to Apple's Platform Security Guide. This is done by using cryptography to authenticate these pointers and validate them before they’re used. ISA pointers are a related feature of iOS’s code that tells a program what code to use when it runs. Until now, they were not protected with PAC, as Samuel Groß from Google Project Zero explained last year. By using cryptography to sign these pointers, Apple extended PAC protections to ISA pointers.
Adam Donenfeld, who works for security firm Zimperium, told Motherboard he noticed the change when he reverse engineered the beta version of the upcoming iOS 14.5 at the beginning of the month.
"Nowadays, since the pointer is signed, it is harder to corrupt these pointers to manipulate objects in the system. These objects were used mostly in sandbox escapes and 0clicks," Donenfeld said in an online chat.
An Apple representative told Motherboard that the company believes this change will make zero-clicks harder, although they said that the security of the device is dependent on dialling up multiple mitigations at once, rather than a single item.
Do you research vulnerabilities and exploits for iPhones? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email firstname.lastname@example.org. You can contact Joseph Cox on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com
A security researcher who works on iOS and asked to remain anonymous as he was not authorized to speak to the press, said that many iPhone hackers are worried "because some techniques are now irretrievably lost."
"It raised the bar," Patroklos Argyroudis, who specializes in researching unknown vulnerabilities and works for security firm CENSUS, told Motherboard in an online chat.
While hackers working for government agencies would prefer to keep this technique and these attacks secret, some examples of zero-click hacks have surfaced in the last few years.
In 2016, hackers working for the United Arab Emirates government used a zero-click iPhone hacking tool code named Karma to break into the phones of hundreds of targets. In 2018, Motherboard reported that the spyware vendor NSO Group was giving demos of its zero-click hacking tools. Then, at the end of last year, the digital rights group Citizen Lab revealed that 36 journalists and editors at Al Jazeera were targeted with a zero-click iPhone hack.
This change that makes zero-clicks harder doesn't mean they will become impossible though. It's now up to hackers to find new techniques.
While Donenfeld doesn't believe this makes zero-click attacks entirely out of reach, "it certainly will have an impact," he told Motherboard in an online chat.
"When there’s a will there’s a way—there’s always going to be bugs of some sort, whether that be in PAC or whether it be a completely different exploitation strategy," Jamie Bishop, one of the developers of the popular jailbreak Checkra1n, told Motherboard in an online chat. "This mitigation in reality probably just raises the cost of 0clicks, but a determined attacker with a lot of resources would still be able to pull it off."
Bishop said that Apple's new mitigation is not a big deal for most users, "but for users who could be targeted by a 0click? It absolutely would raise the cost of attacking them.”
Update: This piece removed a line about an exploit developed by Ian Beer as it is not related to these latest changes.
Subscribe to our cybersecurity podcast CYBER, here.