Amidst the other new features in iOS 14.5, Apple has also implemented changes to the way it protects code that runs on iOS. As reported by Motherboard, the changes Apple has made behind the scenes will make it more difficult for hackers to develop exploits without clicking.
The report cites several security researchers who believe that these changes will hamper vulnerabilities without clicking. These are exploits that allow hackers to gain control of a user’s iPhone without any interaction from that user.
The change focuses on technology called Pointer Authentication Codes, which is a crypto security feature that Apple has used since 2018. With iOS 14.5, Apple has expanded this to something called ISA pointers:
ISA pointers are a related feature of iOS code that tells a program what code to use when it runs. Until now, they weren’t protected with PACs, as Google Project Zero’s Samuel Groß explained last year. By using cryptography to sign these pointers, Apple extended PAC protections to ISA pointers.
A security researcher said Motherboard that this change is worrying many iPhone hackers because “some techniques have been irretrievably lost.”
“It will definitely make 0 clicks more difficult. Sandbox also leaks. Significantly more difficult, ”a source that develops exploits for government clients told Motherboard, referring to“ sandboxes ”that isolate applications from each other in an attempt to stop program code interacting with the larger operating system. Motherboard granted anonymity to multiple exploit developers to speak more frankly about sensitive industry topics.
That being said, jailbreak developer Jamie Bishop said the changes are unlikely to completely remove zero-click attacks, but instead increase the cost:
“When there is a will, there is a way: there will always be bugs of some kind, whether it’s in PAC or if it’s a completely different exploitation strategy,” Jamie Bishop, one of the developers of the popular Checkra1n jailbreak, told Motherboard. in an online chat. “In reality, this mitigation probably only increases the cost of 0 clicks, but a determined attacker with lots of resources could still do it.”
Apple confirmed to Motherboard These changes will make zero-click vulnerabilities more difficult, although he clarified that “device security depends on checking multiple mitigations at once, rather than a single item.”
You can find the full report at Motherboard with more details. IOS 14.5 is expected to be released to the public sometime in the spring.
FTC: We use income generating automobile affiliate links. Plus.
Check out 9to5Mac on YouTube for more news from Apple: