Beautiful Virgin Islands

Thursday, Jul 03, 2025

Apple Fixes One of the iPhone's Most Pressing Security Risks

Apple Fixes One of the iPhone's Most Pressing Security Risks

By hardening iMessage in iOS 14, the company has effectively cut off what had been an increasingly popular line of attack.
Apple's iOS operating system is generally considered secure, certainly enough for most users most of the time. But in recent years hackers have successfully found a number of flaws that provide entry points into iPhones and iPads. Many of these have been what are called zero-click or interactionless attacks that can infect a device without the victim so much as clicking a link or downloading a malware-laced file.

Time and again these weaponized vulnerabilities turned out to be in Apple's chat app, iMessage. But now it appears that Apple has had enough. New research shows that the company took iMessage's defenses to a whole other level with the release of iOS 14 in September.

At the end of December, for example, researchers from the University of Toronto’s Citizen Lab published findings on a hacking campaign from the summer in which attackers successfully targeted dozens of Al Jazeera journalists with a zero-click iMessages attack to install NSO Group's notorious Pegasus spyware. Citizen Lab said at the time that it didn't believe iOS 14 was vulnerable to the hacking used in the campaign; all the victims were running iOS 13, which was current at the time.

Samuel Groß has long investigated zero-click iPhone attacks alongside a number of his colleagues at Google's Project Zero bug-hunting team. The week, he detailed three improvements that Apple added to iMessage to harden the system and make it much more difficult for attackers to send malicious messages crafted to wreak strategic havoc.

“These changes are probably very close to the best that could’ve been done given the need for backward compatibility, and they should have a significant impact on the security of iMessage and the platform as a whole,” Groß wrote on Thursday. “It’s great to see Apple putting aside the resources for these kinds of large refactorings to improve end users’ security.”

In response to Citizen Lab's research, Apple said in December that “iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks.”

iMessage is an obvious target for zero-click attacks for two reasons. First, it's a communication system, meaning part of its function is to exchange data with other devices. iMessage is literally built for interactionless activity; you don't need to tap anything to receive a text or photo from a contact. And iMessage's full suite of features—integrations with other apps, payment functionality, even small things like stickers and memoji—make it fertile ground for hackers as well. All those interconnections and options are convenient for users but add “attack surface,” or potential for weakness.

“iMessage is a built-in service on every iPhone, so it’s a huge target for sophisticated hackers,” says Johns Hopkins cryptographer Matthew Green. “It also has a ton of bells and whistles, and every single one of those features is a new opportunity for hackers to find bugs that let them take control of your phone. So what this research shows is that Apple knows this and has been quietly hardening the system.”

Groß outlines three new protections Apple developed to deal with its iMessage security issues at a structural level, rather than through Band-Aid patches. The first improvement, dubbed BlastDoor, is a “sandbox,” essentially a quarantine zone where iMessage can inspect incoming communications for potentially malicious attributes before releasing them into the main iOS environment.

The second new mechanism monitors for attacks that manipulate a shared cache of system libraries. The cache changes addresses within the system at random to make it harder to access maliciously. iOS only changes the address of the shared cache after a reboot, though, which has given zero-click attackers an opportunity to discover its location; it's like taking shots in the dark until you hit something. The new protection is set up to detect malicious activity and trigger a refresh without the user having to restart their iPhone.

The final addition makes it more difficult for hackers to “brute force,” or retry attacks multiple times—a common technique in zero-click hacks if an assault doesn't quite work the first time. This protection is relevant to reducing those shots in the dark to find the shared cache, but also to attacks more broadly, like attempts to send multiple malicious texts (which are typically invisible to the user) to retry an attack until it works.

Independent researchers agree with Groß's assessment that the version of iMessage in iOS 14 is much better defended against these types of attacks.

“The mitigations are very welcome and appear to be intelligently done,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “I would have hoped to see something like this sooner as iMessage is a big target for remote attacks, but it at least looks like they put a decent amount of care into this.”

Now that they're here, the improvements should make a big difference in curbing the rising tide of interactionless attacks against iMessage. But researchers warn that it's only a matter of time before attackers find a new spin on their stalwart techniques.
Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
DJI Launches Heavy-Duty Coaxial Quadcopter with 80 kg Lift Capacity
U.S. Senate Approves Major Legislation Dubbed the 'Big Beautiful Bill'
Largest Healthcare Fraud Takedown in U.S. History Announced by DOJ
Poland Implements Border Checks Amid Growing Migration Tensions
Political Dispute Escalates Between Trump and Musk
Emirates Airline Expands Market Share with New $20 Million Campaign
Amazon Reaches Milestone with Deployment of One Millionth Robot
US Senate Votes to Remove AI Regulation Moratorium from Domestic Policy Bill
Yulia Putintseva Calls for Spectator Ejection at Wimbledon Over Safety Concerns
Jury Deliberations in Diddy Trial Yield Partial Verdict in Serious Criminal Charges
House Oversight Committee Subpoenas Former Jill Biden Aide Amid Investigation into Alleged Concealment of President Biden's Cognitive Health
King Charles Plans Significant Role for Prince Harry in Coronation
Two Chinese Nationals Arrested for Espionage Activities Against U.S. Navy
Amazon Reaches Major Automation Milestone with Over One Million Robots
Extreme Heat Wave Sweeps Across Europe, Hitting Record Temperatures
Meta Announces Formation of Ambitious AI Unit, Meta Superintelligence Labs
Robots Compete in Football Tournament in China Amid Injuries
Trump Administration Considers Withdrawal of Funding for Hospitals Providing Gender Treatment to Minors
Texas Enacts Law Allowing Gold and Silver Transactions
China Unveils Miniature Insect-Like Surveillance Drone
OpenAI Secures Multimillion-Dollar AI Contracts with Pentagon, India, and Grab
Marc Marquez Claims Victory at Dutch Grand Prix Amidst Family Misfortune
Germany Votes to Suspend Family Reunification for Asylum Seekers
Elon Musk Critiques Senate Budget Proposal Over Job Losses and Strategic Risks
Los Angeles Riots ended with Federal Investigations into Funding
Budapest Pride Parade Draws 200,000 Participants Amid Government Ban
Southern Europe Experiences Extreme Heat
Xiaomi's YU7 SUV Launch Garners Record Pre-Orders Amid Market Challenges
Jeff Bezos and Lauren Sanchez's Lavish Wedding in Venice
Russia Launches Largest Air Assault on Ukraine Since Invasion
Education Secretary Announces Overhaul of Complaints System Amid Rising Parental Grievances
Massive Anti-Government Protests Erupt in Belgrade
Trump Ends Trade Talks with Canada Over Digital Services Tax
UK Government Softens Welfare Reform Plans Amid Labour Party Rebellion
Labour Faces Rebellion Over Disability Benefit Reforms Ahead of Key Vote
Jeff Bezos and Lauren Sánchez Host Lavish Wedding in Venice Amid Protests
Trump Asserts Readiness for Further Strikes on Iran Amid Nuclear Tensions
North Korea to Open New Beach Resort to Boost Tourism Economy
UK Labour Party Faces Internal Tensions Over Welfare Reforms
Andrew Cuomo Hints at Potential November Comeback Amid Democratic Primary Results
Curtis Sliwa Champions His Vision for New York City Amid Rising Crime Concerns
Federal Reserve Proposes Changes to Capital Rule Affecting Major Banks
EU TO HUNGARY: LET THEM PRIDE OR PREP FOR SHADE. ORBÁN TO EU: STAY IN YOUR LANE AND FIX YOUR OWN MESS.
Trump Escalates Criticism of Media Over Iran Strike Coverage
Trump Announces Upcoming US-Iran Meeting Amid Controversial Airstrikes
Trump Moves to Reshape Middle East Following Israel-Iran Conflict
Big Four Accounting Firms Fined in Exam Cheating Scandal
NATO Members Agree to 5% Defense Spending Target by 2035
Australia's Star Casino Secures $195 Million Rescue Package Amid Challenges
UK to Enhance Nuclear Capabilities with Acquisition of F-35A Fighter Jets
×