With its new iOS 14.5, now in beta testing, Apple is making one of the most notorious types of attacks on iPhones much harder to pull off.
The past year saw several waves of zero-click (0-click) attacks on iPhones, targeting journalists among others. This type of attack does not require any interaction from the victim, an SMS could be enough. The next thing the user knows is their phone is hacked.
Zero-click attacks are usually very sophisticated attacks, and they are much harder for the targeted user to detect because they happen in the background.
But they may now become much rarer, several security researchers specializing in iOS vulnerabilities told Motherboard.
The next iOS update, 14.5, will make these attacks much harder, reports Motherboard. In the new version of the iOS, Apple changes the way it secures the code running in its mobile OS. It all boils down to a security feature called Pointer Authentication Codes (PAC). Apple’s developers have extended the scope of PACs to the ICA pointers which were previously vulnerable.
ISA pointers tell a program what code to use when it runs. Unprotected with PAC until now, these pointers will now be signed using cryptography to protect them with PACs, as Samuel Groß from Google Project Zero explained last year.
Under the new system, “cryptographic signatures are used to ensure that code in the memory has not been manipulated, and to highlight fake versions of various functions,” writes Motherboard.
Several anonymous hackers spoke with Motherboard reporters and confirmed the upgrade will have a major effect on this kind of zero-click attack.
“It will definitely make 0-clicks harder,” said one. “Sandbox escapes too. Significantly harder.”
iOS 14.5 is currently in beta testing and will be launched around the end of February or early March.