News Highlights: Apple solves one of the iPhone’s most pressing security threats
Apple’s iOS operating system is generally considered safe, certainly enough for most users. But in recent years, hackers have successfully discovered a number of flaws that allow access to iPhones and iPads. Many of these attacks are so-called zero-click or interaction-less attacks that can infect a device without the victim even clicking a link or downloading a file containing malware. Time and again, these weaponized vulnerabilities have been found in Apple’s chat app, iMessage. But now it appears that Apple has had enough. New research shows that the company has taken the iMessage defense to a whole new level with the release of iOS 14 in September.
This is how researchers from the Citizen Lab at the University of Toronto arrived at the end of December published findings from a summer hacking campaign in which attackers successfully attacked dozens of Al Jazeera journalists with a no-click iMessages attack to install NSO Group’s infamous Pegasus spyware. Citizen Lab said at the time that it did not believe iOS 14 was vulnerable to the hacking used in the campaign; all victims were running iOS 13, which was current at the time.
Samuel Groß has a long time investigated zero click iPhone attacks along with some of his colleagues on Google’s Project Zero bug-hunting team. The week he explained three enhancements Apple had added to iMessage to stiffen the system and make it much more difficult for attackers to send malicious messages designed to wreak strategic havoc.
“These changes are probably very close to the best that could have been done given the need for backward compatibility, and should have a significant impact on the security of iMessage and the platform as a whole,” Groß wrote Thursday. “It’s great to see Apple set aside the resources for major refactors like this to improve end-user security.”
In response to the Citizen Lab study, Apple said in December that “iOS 14 is a quantum leap in security and offers new protection against these types of attacks.”
iMessage is a clear target for zero-click attacks for two reasons. First, it is a communication system,…