iOS 14.5 makes no-click attacks ‘significantly more difficult’

Apple’s upcoming iOS and iPadOS 14.5 update will make zero-click attacks significantly more difficult by expanding PAC security features, said Motherboard

Apple has made a change to the way it secures its code in the latest iOS 14.5 and iPadOS 14.5 betas to make no-click attacks much more difficult. The change, noted by security researchers, has now been confirmed by Apple and is expected to be included in the latest update.

Zero-click attacks allow hackers to break into a target without victim intervention, such as clicking a malicious phishing link. Zero-click attacks are therefore significantly more difficult to detect for targeted users and are considered much more sophisticated.

Since 2018, Apple has been using Pointer Authentication Codes (PAC) to prevent attackers from using corrupted memory to inject malicious code. Cryptography is used to authenticate and validate pointers before they are used. ISA pointers instruct a program on what code to use when running on iOS. By using cryptography to sign these directions, Apple is now extending PAC protection to ISA directions.

“Nowadays, since the pointer is signed, it is more difficult to corrupt these pointers to manipulate objects in the system. These objects were mostly used in sandbox breakouts and zero-clicks,” said Adam Donenfeld of security firm Zimperium. MotherboardThe change will certainly make “zero clicks more difficult. Sandbox escapes too. Significantly more difficult.” Sandboxes are designed to isolate applications from each other to stop code from a program interacting with the wider operating system.

While zero-clicks will not be eradicated by this change, many of the exploits used by hackers and government organizations will now be “irretrievably lost”. Hackers will now have to find new techniques to implement zero-click attacks on iPhone and iPad, but the security improvements to ISA pointers are likely to have a significant impact on the total number of attacks on these devices.