Thursday, January 28, 2021

Apple implemented a new security system for iMessage in iOS 14

A Google researcher discovered a new security system for iMessage.

What you need to know

  • Apple has added a new BlastDoor security system to iMessage in iOS 14.
  • It stops malicious messages from having access to the operating system and user data.

As reported by ZDNet, Apple has added a new security system called BlastDoor to protect against malicious attacks in its iMessage messaging service.

Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software. Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system. While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.

The system prevents malicious code hidden within a message to have access to the operating system or a user's data. According to the report, several security researchers in the past have pointed out iMessage's lack of sanitizing incoming data in iMessage, hence the addition of the BlastDoor service.

Over the past three years, there had been multiple instances where security researchers or real-world attackers found iMessage remote code execution (RCE) bugs and abused these issues to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone's device.

Groß says that the protection is most likely the best Apple could put in place considering its need to support older versions of iOS.

"Overall, these changes are probably very close to the best that could've been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole ... It's great to see Apple putting aside the resources for these kinds of large refactorings to improve end users' security."


0 comments:

Post a Comment