Google Project Zero on Thursday revealed details of a new security mechanism that Apple quietly added to iOS 14 as a countermeasure to prevent attacks that were recently discovered to capitalize on zero days in its messaging app.
Nicknamed “BlastDoor, “the improved sandbox system for iMessage data was unveiled by Samuel Groß, a security researcher with Project Zero, a team of Google security researchers tasked with studying zero-day vulnerabilities in hardware and software systems.
“One of the major changes in iOS 14 is the introduction of a new ‘BlastDoor’ service, which is now responsible for almost all data analytics that do not trust iMessages,” said Groß. “In addition, this service is written in Swift, a (mostly) memory-safe language, which makes it much more difficult to introduce classic code-based memory corruption vulnerabilities.”
The development is a consequence of a zero-click operation that capitalized on an Apple iMessage flaw in iOS 13.5.1 to avoid security protections as part of a cyberespionage campaign targeting Al Jazeera journalists last year.
“I do not believe that [the exploit] works against iOS 14 and later, which includes new security protections, “Citizen Lab researchers revealed the attack last month.
BlastDoor forms the core of these new security protections, for Groß, which analyzed the changes implemented during a week-long reverse engineering project using a Mac Mini M1 running macOS 11.1 and an iPhone XS running iOS 14.3.
When an iMessage arrives, the message goes through a number of services, including the Apple Push Notification Service (apsd) daemon and a background process called imagent, which is not only responsible for decoding the content of the message, but also for downloading attachments. (through a separate service called IMTransferAgent) and managing links to websites before alerting SpringBoard to display the notification.
What BlastDoor does is inspect all of these incoming messages in a secure environment, which prevents any malicious code inside a message from interacting with the rest of the operating system or accessing user data.
In other words, by moving most processing tasks – that is, decoding the message property list and creating link previews – from imaginary to this new BlastDoor component, a specially designed message sent to a target can no longer interact with the file system or perform network operations.
“The profile of the sandbox is quite tight,” Groß said. “Only a handful of local IPC services can be reached, almost all file system interaction is blocked, any interaction with IOKit drivers is prohibited, [and] access to the output network is denied. “
Moreover, in an attempt to delay subsequent restarts of a lock service, Apple has also introduced a new restriction feature in the iOS launch process to limit the number of attempts an attacker then receives. when it seeks to exploit a defect, increasing exponentially between two successive attempts at brute force.
“With this change, an operation that relied on the repeated collapse of the attacked service would now probably take in the order of several hours to about half a day to complete in a matter of minutes,” Groß said.
“Overall, these changes are probably very close to the best that could have been made, given the need for compatibility with previous versions and should have a significant impact on the security of iMessage and the platform as a whole.”