Researchers presented intriguing new findings Wednesday regarding an attack that over four years hijacked dozens, if not thousands, of iPhones, many of them belonging to employees of Moscow-based security firm Kaspersky. Key Finding: Unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few, if any, outside of Apple and chip vendors such as ARM Holdings knew.
“The sophistication of the exploit and the obscurity of the functionality suggest that the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis did not reveal how they became aware of this feature, but we are exploring all possibilities, including accidental disclosure in previous versions of firmware or source code. They may also have stumbled upon it through hardware reverse engineering.
Four zero-days exploited for years
Other questions remain unanswered, Larin writes, even after about 12 months of intensive investigation. Aside from how attackers discovered this hardware feature, researchers still don’t know what precisely its purpose is. It’s also unclear whether the feature is a native part of the iPhone or whether it’s enabled by a third-party hardware component such as ARM’s CoreSight.
The massive backdoor campaign, which Russian government officials said also infected the iPhones of thousands of people working at diplomatic missions and embassies in Russia, was revealed in June. Over a period of at least four years, Kaspersky said, infections were delivered in iMessage texts that installed malware through a complex exploit chain without the recipient having to take any action.
The devices were thus infected with comprehensive spyware that, among other things, transmitted microphone recordings, photos, geolocation and other sensitive data to servers controlled by attackers. Although the infections did not survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after the devices rebooted.
New details disclosed Wednesday indicate that “Triangulation” – the name Kaspersky gave to the malware and the campaign that installed it – exploited four critical zero-day vulnerabilities, meaning serious programming flaws known to the attackers before ‘they are. to Apple. The company has since patched the four vulnerabilities, which are listed as follows:
In addition to affecting iPhones, these critical zero-days and the secret hardware feature resided in Macs, iPods, iPads, Apple TVs and Apple Watches. Additionally, the exploits recovered by Kaspersky were intentionally developed to work on these devices as well. Apple has also fixed these platforms.
Detecting infections is extremely difficult, even for people with advanced forensic expertise. For those who want to try, a list of Internet addresses, files and other indicators of compromise can be found here.
The iPhone’s Mysterious Feature Proves Key to Triangulation’s Success
The most intriguing new detail is the targeting of a previously unknown hardware feature, which proved essential to the Operation Triangulation campaign. A zero day in functionality allowed attackers to bypass advanced hardware memory protections designed to safeguard the system integrity of the device, even after an attacker gained the ability to tamper with underlying kernel memory. underlying. On most other platforms, once attackers successfully exploit a kernel vulnerability, they have full control of the compromised system.
On Apple devices equipped with these protections, these attackers are still unable to perform key post-exploitation techniques such as injecting malicious code into other processes or modifying kernel code or sensitive kernel data. This powerful protection was bypassed by exploiting a vulnerability in the secret function. The protection, rarely defeated by the exploits discovered so far, is also present in the Apple M1 and M2 processors.
Kaspersky researchers only discovered the hardware’s secret function after months of extensive reverse engineering of Triangulation-infected devices. During the course, the researchers’ attention was drawn to so-called hardware registers, which provide memory addresses that allow processors to interact with peripheral components such as USBs, memory controllers and GPU. MMIO, short for Memory-mapped Input/Outputs, allows the processor to write to the specific hardware register of a specific device.
Researchers found that several of the MMIO addresses attackers used to bypass memory protections were not identified in any device tree documentation, which serves as a reference for engineers creating hardware or software for iPhones. Even after researchers looked more through the source codes, kernel images, and firmware, they still couldn’t find any mention of MMIO addresses.
Gn En tech