According to Motherboard, Apple has come up with a way to protect iOS from zero-click exploits. These vulnerabilities are what allow a hacker to take control of an iPhone without any interaction from the victim. The change developed by Apple has been quietly added to the beta version of iOS 14.5, giving iPhone users another reason to wait for the final version of the update. Some of the features coming in the next version of iOS include one that allows an iPhone user wearing a face mask to automatically unlock their phone if they are wearing an unlocked Apple Watch. The update adds new emoji and application tracking transparency feature that prevents a user from being tracked by a third-party app unless they choose to opt out of being tracked.
Apple makes it harder for hackers to use zero-click exploits in upcoming iOS 14.5 update to release this spring
According to a source that develops exploits for government clients, the changes made by Apple “… will definitely make 0-clicks more difficult. Sandbox also leaks. Significantly more difficult.” Since zero-click attacks take place without any action from the phone owner, these attacks are generally more difficult for the target to detect and are more sophisticated. An iOS feature called ISA pointers tells the operating system what code to use. According to Apple’s Platform Security Guide, Apple now uses cryptography to validate these pointers by using Pointer Authentication Codes (or PACs). This is a new form of protection for Apple and prevents hackers from using malicious code in an attack. A member of security firm Zimperium, Adam Donenfeld, noticed the change earlier this month when he reversed the engineering of the iOS 14.5 beta.
Zero-click vulnerabilities will be harder to achieve in iOS 14.5
Not only did Apple tell Motherboard that this change will help protect the iPhone from zero-click attacks, Donenfeld said in an online chat that “nowadays, since the pointer is signed, it’s more difficult to corrupt these pointers to manipulate objects on the system. These objects were mainly used in escapes and 0 sandbox clicks. ” And now the bad guys are the annoying ones. An iOS security researcher, who requested anonymity because he is not authorized to speak to the media, said that many hackers are upset “because some techniques have now been irretrievably lost.”
Just last December, an AirDrop exploit was discovered without clicking. AirDrop is a feature that allows iOS users to send and receive files from other nearby iOS devices. Discovered by Google’s Project Zero, the vulnerability was patched by Apple in iOS 13.5. It only required the attacker to be within Wi-Fi distance of the target device. It took six months for hackers to exploit this vulnerability, although hackers with better technology would have found it easier. Furthermore, no solid evidence was ever found to show that hackers took advantage of the AirDrop vulnerability. Zero-click exploits are scary because not only do they not rely on the user of the target device to do something to trigger the hack, most of the time the victom has no idea that their phone has been chosen until it starts working properly. strange. things.
Zimperium’s Donenfeld notes that hackers will seek new techniques to replace the ones that have been lost. Also, it says that while zero clicks are now more difficult to achieve, they are not impossible to use for attacks. “Actually, this mitigation probably only increases the cost of 0clicks, but a determined attacker with lots of resources could still do it,” said Jamie Bishop, who is one of the developers of the popular Checkra1n jailbreak. Still, by making a zero-click attack harder to pull off, iPhone users should install iOS 14.5 as soon as the final public version is available this spring.