Security News > 2021 > January > Google uncovers new iOS security feature Apple quietly added after zero-day attacks
Google Project Zero on Thursday disclosed details of a new security mechanism that Apple quietly added to iOS 14 as a countermeasure to prevent attacks that were recently found to leverage zero-days in its messaging app.
Dubbed "BlastDoor," the improved sandbox system for iMessage data was disclosed by Samuel Groß, a Google Project Zero researcher tasked with studying zero-day vulnerabilities in hardware and software systems.
The development is a consequence of a zero-click exploit that leveraged an Apple iMessage flaw in iOS 13.5.1 to get around security protections as part of a cyberespionage campaign targeting Al Jazeera journalists last year.
"We do not believe that works against iOS 14 and above, which includes new security protections," Citizen Lab researchers who revealed the attack outlined last month.
BlastDoor forms the core of those new security protections, per Groß, who analyzed the implemented changes over the course of a week-long reverse engineering project using an M1 Mac Mini running macOS 11.1 and an iPhone XS running iOS 14.3.
What's more, in a bid to delay subsequent restarts of a crashing service, Apple has also introduced a new throttling feature in the iOS "Launchd" process to limit the number of tries an attacker gets when seeking to exploit a flaw by exponentially increasing the time between two successive brute-force attempts.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/HgNyP2-PuoY/google-uncovers-new-ios-security.html
Related news
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- Rackspace monitoring data stolen in ScienceLogic zero-day attack (source)
- Fake Trading Apps Target Victims Globally via Apple App Store and Google Play (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Qualcomm patches high-severity zero-day exploited in attacks (source)
- Ivanti warns of three more CSA zero-days exploited in attacks (source)