Google Project Zero on Thursday revealed details of a new security mechanism that Apple has quietly added to iOS 14 as a countermeasure to prevent attacks that were recently found to use zero-days in its messaging app.
Dubbed “BlastDoor, “The enhanced iMessage data sandbox system was unveiled by Samuel Groß, a security researcher at Project Zero, a team of security researchers at Google tasked with studying zero-day vulnerabilities in hardware and software systems.
“One of the most significant changes in iOS 14 is the introduction of a new ‘BlastDoor’ service with a tight sandbox, which is now responsible for almost all parsing of untrusted data in iMessages,” said Groß. “In addition, this service is written in Swift, a (mostly) memory-safe language that makes it significantly more difficult to introduce classic memory corruption vulnerabilities into the code base.”
The development is the result of a zero-click exploit that used an Apple iMessage flaw in iOS 13.5.1 to bypass security measures as part of a cyber-espionage campaign targeting Al Jazeera journalists last year.
“We don’t believe that [the exploit] works against iOS 14 and above, which includes new security measures, ”said Citizen Lab researchers who revealed the attack last month.
BlastDoor is at the heart of those new security measures, said Groß, who analyzed the changes implemented over the course of a week-long reverse engineering project using an M1 Mac Mini with macOS 11.1 and an iPhone XS with iOS 14.3.
When an incoming iMessage arrives, the message will pass through a number of services, the main one being the Apple Push Notification Service daemon (apsd) and a background process called imagent, which is responsible not only for decrypting the message content but also for downloading attachments (through a separate service called IMTransferAgent) and handling links to websites before the SpringBoard is warned to display the notification.
What BlastDoor does is inspect all such incoming messages in a secure sandbox environment, which prevents malicious code in a message from interacting with the rest of the operating system or accessing user data.
In other words, by moving the majority of the processing tasks – i.e. decoding the message properties list and creating link previews – from image to this new BlastDoor component, a specially crafted message sent to a target can no longer communicate with the file system or network operations.
“The sandbox profile is pretty tight,” noted Groß. Only a handful of local IPC services can be reached, almost all file system interaction is blocked, any interaction with IOKit drivers is prohibited, [and] outgoing network access is denied. “
What’s more, in an effort to delay the restart of a crashing service, Apple has also introduced a new throttling feature in iOS ‘launchd’ process to limit the number of attempts an attacker gets when trying an error misuse by extending the time exponentially. between two consecutive brute force attempts.
“With this change, an exploit that relied on the repeated crashing of the attacked service would now probably take on the order of several hours to about half a day instead of a few minutes,” said Groß.
“Overall, these changes are probably close to the best that could have been done given the need for backward compatibility, and should have a significant impact on the security of iMessage and the platform as a whole.”