iOS 14.5 Change Makes ‘Zero Click’ iPhone Vulnerabilities Much More Difficult to Achieve
An upcoming change in iOS 14.5 makes zero-click vulnerabilities much more difficult to carry out on the iPhone, several malware researchers have stated.
Apple quietly made the change to the way it protects code running on iOS in an iOS 14.5 beta, suggesting that it could be released with the next public update. Multiple security investigators discovered the control, it reported Monday.
Specifically, the company has added Pointer Authentication Codes (PACs) to protect users from exploits that inject malicious code through memory corruption. The system now authenticates and validates what are called ISA pointers, a function that tells an iOS program what code to run, before they are used.
One researcher said he discovered the change in ISA pointers when he reverse engineered a beta version of iOS. 14.5 at the beginning of February.
Apple also shared some details about PAC in its updated platform security guide, which was released to the public in February. 18.
Security researchers said that mitigating security will make zero-click vulnerabilities more difficult to achieve. Zero clicks refer to vulnerabilities that allow an attacker to compromise an iPhone without any user interaction. It could also complicate sandbox escapes, which are attacks that try to bypass the isolation security systems built into iOS.
An Apple spokesperson said he believes the change will make zero-click vulnerabilities more difficult to achieve. They added that the security of a device depends on multiple mitigation strategies, and not just one.
While it won’t completely rule out zero-click vulnerabilities, security researchers said the new mitigations “raised the bar” and will likely make the attack type much more costly to exploit.
Zero-click vulnerabilities have been used in several high-profile attacks against iPhone users in the past. In 2016, hackers working for the UAE government used a zero-click tool called Karma to access hundreds of iPhones. In 2020, a report indicated that a zero-click exploit was used to monitor iPhones belonging to 37 journalists. Google’s Project Zero team has also discovered vulnerabilities that could have allowed no-click attacks.