A zero-click attack is a terrifying kind of cyberattack for smartphone users, requiring nothing in the way of social engineering attacks (such as phishing emails) in order to seize control of a person’s device. Instead, these highly specialized attacks exploit vulnerabilities that don’t require the user to do anything—thereby making the attacks both harder to foil, and to detect.
While zero-click attacks might be rare, however, they have nonetheless been successfully carried out before. To help halt them in their tracks, Apple is cracking down on exploit methods in the forthcoming iOS 14.5.
Apple’s Security Overhaul
Researchers who scoured the latest iOS beta—released in mid-February—have discovered that Apple has switched up the way that it secures code, writes Motherboard. The change reportedly involves something called ISA pointers. The report explains that:
“Since 2018, Apple has implemented a technology called Pointer Authentication Codes (or PAC) to protect iPhone users from exploits which inject malicious code by preventing attackers from leveraging corrupted memory, according to Apple’s Platform Security Guide.This is done by using cryptography to authenticate these pointers and validate them before they’re used. ISA pointers are a related feature of iOS’s code that tells a program what code to use when it runs. Until now, they were not protected with PAC, as Samuel Groß from Google Project Zero explained last year. By using cryptography to sign these pointers, Apple extended PAC protections to ISA pointers.”
Security researchers say that this change will make it much harder to pull off zero-click exploits, as well sandbox escapes. The latter refers to an exploit which allows malicious code to be executed from a sandbox, in a way it impacts the system outside of the isolated sandbox environment.
As noted, zero-click attacks are exceptionally rare, although they have occurred in the wild. They are often developed as a way to pursue a high profile individual. For example, in 2016, hackers who were working for the United Arab Emirates government used Karma, a zero-click iPhone hacking tool code, to break into the phones of hundreds of targets. In 2020, 36 Al Jazeera editors and journalists were the victims of a zero-click iPhone attack.
Coming Soon in iOS 14.5
Apple’s new security measures will almost certainly be included as part of the public release iOS 14.5 when it rolls out to users. In addition to the zero-click attack security measure, other iOS 14.5 upgrades will include the ability to set a default music player of your choice, the ability to unlock your iPhone while wearing a mask, more than 200 new emoji, app tracking transparency, and more.
Apple has yet to reveal exactly when the public version of iOS 14.5 will launch. However, it seems likely that it could be later this month.
Image Credit: Frederik Lipfert/Unsplash CC