An imminent iOS update is set to make cyberattacks that require no input from the victim (also known as zero-click exploits) much harder to execute.
As evidenced by the beta version of iOS 14.5, Apple has changed its approach to securing code running on its phones and tablets, making it far more difficult for hackers to develop exploits that do not rely on some form of slip-up on the user’s part.
Although Apple already uses a technology known as Pointer Authentication Codes (PAC) to prevent attackers from abusing corrupted memory, this protection does not currently extend to ISA pointers, used to inform applications which portion of code to refer to.
Assuming the changes present in the beta make it into the full iOS 14.5 release, which is expected to land later this month, ISA pointers will soon come under the protection of PAC, closing off the attack vector.
iOS 14.5 security update
What makes zero-click (or 0-click) exploits so dangerous is that they do not rely on the victim clicking on a malicious link or email attachment to infect a device. And because they require no interaction on the victim’s part, the owner of the affected device is also less likely to be aware of an attack.
According to Apple, the new measures introduced with iOS 14.5 will make conducting this type of attack far more difficult, but not entirely impossible. Overall device security, the firm explained, depends on bolstering mitigation mechanisms across the board.
However, security experts are a little more bullish about the potential for iOS 14.5 to impair both zero-click attacks and sandbox attacks, which place applications in a kind of quarantine, preventing them from communicating.
Adam Donnenfeld, Security Researcher at Zimperium, told Motherboard that the steps taken by Apple will mean only the most sophisticated hackers will now be able to execute these types of attacks.
“Nowadays, since the pointer is signed, it is harder to corrupt these pointers to manipulate objects in the system. These objects were used mostly in sandbox escapes and 0-clicks,” he explained.
An anonymous iOS developer, meanwhile, suggested the iOS update will force hackers to develop entirely new methods of compromise, “because some techniques are now irretrievably lost”.
