The BlastDoor initiative worth noting, first in iOS 14.4

Published by at

The nightmare scenario for most of us is that a partner or other family member's phone gets a SMS or instant message with malicious content (malformed text or photos) or a dodgy link. Using social engineering, the sender hopes the recipient will open the message and display the contents, or perhaps tap a link and thereby be taken to a scam or phishing site (or worse, if running Android, where an APK might be suggested for installation). It's easy to see how every day users can be tricked or taken in. Which is why I welcome tactics like the new (semi-secret) messaging sandbox system, the wonderfully-named BlastDoor, here implemented by Apple in its latest iOS 14.4 release for all iPhones.

ZDNet reports:

With the release of iOS 14 last fall, Apple has added a new security system to iPhones and iPads to protect users against attacks carried out via the iMessage instant messaging client. Named BlastDoor, this new iOS security feature was discovered by Samuel Groß, a security researcher with Project Zero, a Google security team tasked with finding vulnerabilities in commonly-used software.

Groß said the new BlastDoor service is a basic sandbox, a type of security service that executes code separately from the rest of the operating system. While iOS ships with multiple sandbox mechanisms, BlastDoor is a new addition that operates only at the level of the iMessage app. Its role is to take incoming messages and unpack and process their content inside a secure and isolated environment, where any malicious code hidden inside a message can't interact or harm the underlying operating system or retrieve with user data.

The need for a service like BlastDoor had become obvious after several security researchers had pointed out in the past that the iMessage service was doing a poor job of sanitizing incoming user data. Over the past three years, there had been multiple instances where security researchers or real-world attackers found iMessage remote code execution (RCE) bugs and abused these issues to develop exploits that allowed them to take control over an iPhone just by sending a simple text, photo, or video to someone's device...

...Groß said he was drawn to investigating iOS 14's internals after reading in the Citizen Lab report that the attackers' zero-days stopped working after the launch of iOS 14, which apparently included improved security defenses. After probing around in the iOS 14 inner workings for a week, Groß said he believes that Apple finally listened to the security research community and improved iMessage's handling of incoming content by adding the BlastDoor sandbox to iMessage's source code.

See the full Project Zero post for the gory details.

In essence, all iMessages are handled by the sandboxed BlastDoor system in such a way that whatever they contain, there's no way content can affect the main OS and ts processes:

Flow chart

Which all seems eminently sensible and you have to wonder why other operating systems and messaging systems haven't done the same in the past. Apple users had been more of a target, of course, because the iMessage system is 'rich' in terms of the content that can be included - the richer the content, the more opportunity for things to go wrong.

In the case of generic SMS applications, the medium itself is just text, so you're 'only' in danger from odd Unicode characters and textual links to dodgy sites. So perhaps there's less urgency for a manufacturer or software vendor to act. It's curious that Whatsapp, Telegram, and so on, don't have a similar sandbox though. Or maybe they do and it's a secret (mainly from the bad guys)? After all, Apple didn't tell anyone about any of this and it was left to a security researcher to discover!

WP 8.1 and Windows 10 Mobile users don't have to worry, mind you, since the very platform itself is so niche at this point that it's not going to be targetted by anyone. The worst you'd encounter on a Lumia is a phishing link, in which case be careful and just.... don't tap!

Source / Credit: ZDNet