An upcoming change in iOS 14.5 makes zero-click exploits much harder to carry out on the iPhone, several malware researchers have declared.
Apple quietly made the change to the way it secures code running in iOS in an iOS 14.5 beta, suggesting that it could be released with the next public update. Several security researchers uncovered the control, Vice reported Monday.
Specifically, the company has added Pointer Authentication Codes (PAC) to protect users from exploits that inject malicious code via memory corruption. The system now authenticates and validates what are called ISA pointers — a feature that tells an iOS program what code to run — before they’re used.
One researcher said he discovered the change in ISA pointers when he reverse engineered a beta version of iOS 14.5 earlier in February.
Apple also shared some details about PAC in its updated Platform Security guide, which was released to the public on Feb. 18.
Security researchers told Motherboard that the security mitigation will make zero-click exploits harder to pull off. Zero-clicks refer to exploits that allow an attacker to compromise an iPhone without any interaction from the user. It could also complicate sandbox escapes, which are attacks that attempt to bypass the built-in isolation security systems in iOS.
An Apple spokesperson told Motherboard that it believes the change will make zero-click exploits harder to achieve. They did add that a device’s security is dependent on multiple mitigation strategies, and not just one, however.
While it won’t rule out zero-click exploits entirely, security researchers said that the new mitigations “raised the bar” and will likely make the type of attack much costlier to leverage.
Zero-click exploits have been used in several high-profile attacks on iPhone users in the past. In 2016, hackers working for the United Arab Emirates government used a zero-click tool dubbed Karma to break into hundreds of iPhones. In 2020, a report indicated that a zero-click exploit was used to surveil iPhones belonging to 37 journalists. Google’s Project Zero team has also discovered vulnerabilities that could have allowed for zero-click attacks.