IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Researcher discovers hidden iOS 14 ‘BlastDoor’ security mechanism

This protective layer sandboxes incoming iMessages to protect users from malicious texts

The latest iteration of Apple’s flagship iPhone operating system, iOS 14, was shipped with a previously undisclosed security mechanism that comprises major changes to the way incoming iMessage texts are processed.

With iOS 14, Apple has introduced BlastDoor, which serves as a sandboxing service for all incoming iMessage data, according to Google’s Project Zero researcher Samuel Groß. This hadn't been previously disclosed by Apple, and the tool was only discovered after reverse-engineering the operating system.

BlastDoor aims to safeguard iPhone users against a common form of attack which involves malicious payloads being sent through iMessage texts. Hackers have, in the past, exploited iMessage vulnerabilities to launch remote code execution attacks and take control of iPhones by simply sending a text to a victim’s device.

This sandboxing layer has been designed specifically to combat this threat by executing any incoming code in an isolated environment, away from the rest of the operating system. This means malicious payloads can be identified and removed before the user interacts with the message.

Although several sandboxing mechanisms already exist in iOS, BlastDoor is one that specifically operates with the iMessage app. It’s also written in Swift, which is considered a memory safe language, making it harder to introduce classic memory corruption vulnerabilities into the codebase.

The Great iPwn, disclosed by Citizen Lab in December 2020, is a recent example of a series of attacks that exploited such weaknesses in iMessage. The report revealed that government operatives using the NSO Group’s infamous Pegasus spyware were found to have hacked 36 personal phones belonging to Al Jazeera journalists.

The operatives deployed an invisible zero-click exploit in iMessage to conduct their attacks, but the report also claimed the attacks wouldn’t work against devices with iOS 14 due to undefined “new security protections”.

This prompted Project Zero’s Groß to reverse-engineer iOS 14 in order to establish the precise nature of any new security mechanisms. Beyond BlastDoor, it was also found that Apple had added a set of technical structural changes, including exponential throttling between restarts, to make it even harder for hackers to breach devices.

“Overall, these changes are probably very close to the best that could’ve been done given the need for backwards compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß said.

“It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end-users’ security. Furthermore, these changes also highlight the value of offensive security work: not just single bugs were fixed, but instead structural improvements were made based on insights gained from exploit development work.”

Featured Resources

The COO's pocket guide to enterprise-wide intelligent automation

Automating more cross-enterprise and expert work for a better value stream for customers

Free Download

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Free Download

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

Free Download

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022