Why is this interesting? - The BlastDoor Edition
On iOS, security, and a game of cat and mouse
Noah here. At the end of last week, an interesting story came out about a new security feature in iOS called BlastDoor. Here’s how ZDNet security writer Catalin Cimpanu described it:
[Google security researcher Samuel] Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system.
While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app.
Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can't interact or harm the underlying operating system or retrieve with user data.
In essence, it’s a way to ensure that a random person can’t install something on your phone by simply sending you a message. It’s a timely discovery after spyware was found on the phones of a number of journalists that is believed to have been implanted using exactly this approach. 2018’s Whatsapp hack also used a similar technique:
Over an 11-day span in late April and early May , the suit alleges, NSO [an Israeli-based spyware maker] targeted about 1,400 mobile phones that belonged to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. To infect the targets with NSO's advanced and full-featured spyware, the company exploited a critical WhatsApp vulnerability that worked against both iOS and Android devices. The clickless exploit was delivered when attackers made a video call. Targets need not have answered the call or taken any other action to be infected.
Why is this interesting?
While on one hand, we are seeing the widespread deployment of malware like Wannacry, which brought down hospitals and businesses worldwide, on the other we’re seeing the rise of (or at least increased reporting around) super-targeted hacks. Stuxnet, the US-Israeli malware that attacked Iranian nuclear centrifuges is probably the most famous example. That particular hack used a series of exploits to quietly find its way into the Iranian facilities and spin centrifuges until they fell apart. As Kim Zetter outlines in her excellent book Countdown to Zero Day (a zero-day vulnerability is one that hasn’t been reported or patched yet), using code as a weapon has a lot of advantages over typical military fare:
A digital attack could slip past air-defense systems and electrified fences to burrow effortlessly into infrastructure deep underground that was otherwise unreachable by air and other means. It could also take out centrifuges not just in known facilities but in unknown ones. You couldn’t bomb a plant you didn’t know about, but you could possibly cyberbomb it. If Iran had other secret enrichment plants distributed throughout the country that used the same equipment and configuration as Natanz, a digital weapon planted in the computers of the contractors who serviced them all could spread from known facilities to unknown ones.
Zero-days are one thing, but zero-click is a whole other. Most hacks are reliant on human error. Zero-clicks, however, work without a user ever making the kinds of mistakes security people warn against like opening a file from someone you don’t know or giving someone access over the phone. By simply receiving a message, the user has been hacked. This obviously makes us even more reliant on completely secure systems, and apparently also makes it much harder to track the hack. Here’s ArsTechnica:
“The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance,” Citizen Lab researchers Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Siena Anstis, and Ron Deibert wrote. “Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators.”
The stakes for this cat and mouse game between technologists, security researchers, and hackers are high. As we’ve seen, journalists have been targeted with something as innocuous as a text message. People trained in security and information hygiene can still fall prey to these increasingly sophisticated attacks that rely on just a momentary lapse. It’s at least reassuring that the issue is being taken seriously at the product level at Apple, with the name BlastDoor befitting the gravity of what’s at stake. (NRB)
Comic of the Day:
The Muppet Show is coming to Disney+ this month. Here’s a guide to Season 1. (NRB)
Thanks for reading,
Noah (NRB) & Colin (CJN)
Why is this interesting? is a daily email from Noah Brier & Colin Nagy (and friends!) about interesting things. If you’ve enjoyed this edition, please consider forwarding it to a friend. If you’re reading it for the first time, consider subscribing (it’s free!).