Apple takes serious measures in action against zero-click exploits in iOS

Apple’s iOS is more and more under attack. We at G DATA sent out an early warning for it last January. The good news is however that Apple is aware of the ramifications of such exploits and working very hard on an improved and more secure iOS version.

Apple is taking measures in an upcoming version of iOS that should make zero-click exploits more difficult. These are exploits for vulnerabilities with which an attacker can take over a device without the victim's interaction. Exploits like this are highly sought after by both criminals as well as intelligence services, and can cost upwards of a million dollars to obtain from vendors specializing in dealing in vulnerabilities. For example, this might involve sending a specially crafted iMessage message with which an attacker can execute his code on a target's iPhone. Such attacks have taken place in the past. Zero-click exploits have been used in several attacks on iPhone users in the past. In 2016, hackers working for the United Arab Emirates government used a zero-click tool called Karma to break into hundreds of iPhones. In 2020 a zero-click exploit was used to monitor iPhones belonging to 37 journalists. Google's Project Zero team has also discovered vulnerabilities that could have allowed for zero-click attacks.

To make zero-click exploits more difficult, Apple has extended Pointer Authentication Codes (PAC) to so-called ISA pointers. PACs were developed by Apple some time ago and are intended to prevent unexpected adjustments of pointers in memory in order to manipulate objects in the system. This is done by signing pointers and return addresses. This signature is validated before the pointers and return addresses are executed.

However, PACs were not yet used for ISA pointers. These pointers tell a program which code should be used. In an upcoming version of iOS, ISA pointers are also protected by means of PACs. Apple confirms the change and states that it should make it more difficult to carry out zero-click attacks. The changes will be implemented in iOS 14.5. At the time of this writing, al release date was not yet available.

Apple’s iOS has been considered a very secure mobile OS since its inception because it is a closed system. Apple doesn’t release its source code to App-developers and nobody can really change the code on their mobile devices.

If you compare this with Android, it’s more relying on open source-code with the ability to modify much more on the device itself. And then there are the manufacturers of the devices. If someone puts out a new phone or tablet with a modification to the Android system, cybercriminals will jump on it to find a vulnerability in it. The popularity of the Android system makes it a much more attractive OS for attackers. The potential ROI for a cybercriminal is much higher with Android. But Android is getting more and more secure as well. Android (12) will soon implement update mechanisms that allow Google to push security updates directly to the devides, without having to go through each individual device manufacturer anymore. Up until this point, any update to the Android operating system, including those that are critical for security, arrived on any given device with an often substantial delay of up to a few months. This new approach to updates could remove a serious weakness and could make Android a much safer OS than it is today.

And above all, attackers seem to become more and more interested in iOS watching the latest iOS security related problems in the past years. Could it be that some hackers aren’t reaching their specific targets otherwise? I really wonder if these kind of security risks will compel some iOS users to migrate to Android, now that Google is working hard to improve and secure his mobile OS a lot.

But bearing all this in mind, there is one thing we shouldn’t forget: with social engineering and phishing attacks it really doesn’t matter at all which (mobile) OS you are using. Attackers prefer to use the path of least resistance – and more often than not, that path goes through the user. This fact is sometimes seriously underestimated.