Operation Triangulation spyware attacks targeting iPhone devices since 2019 have exploited undocumented features of Apple chips to bypass hardware security protections.
This discovery comes from Kaspersky analysts who have been reverse engineering the complex attack chain over the past year, trying to uncover all the details behind the campaign they initially discovered in June 2023 .
The discovery and use of obscure hardware features likely reserved for debugging and factory testing to launch spyware attacks against iPhone users suggests that a sophisticated threat actor carried out the campaign.
Additionally, this serves as a prime example of why relying on security through obscurity and secrecy in hardware design or hardware testing implementation is a false premise.
Operation Triangulation is a spyware campaign targeting Apple iPhone devices using a series of four zero-day vulnerabilities. These vulnerabilities are chained together to create a zero-click exploit that allows attackers to elevate privileges and execute code remotely.
The four flaws that make up the very sophisticated exploit chain and which have worked on all versions of iOS up to iOS 16.2 are:
- CVE-2023-41990: A vulnerability in the ADJUST TrueType font instruction allowing remote code execution via a malicious iMessage attachment.
- CVE-2023-32434: An integer overflow issue in XNU’s memory mapping system calls, granting attackers extensive read/write access to the device’s physical memory.
- CVE-2023-32435: Used in the Safari exploit to execute shellcode as part of the multi-stage attack.
- CVE-2023-38606: A vulnerability using MMIO hardware registers to bypass the Page Protection Layer (PPL), thereby overriding hardware security protections.
The attacks start with a malicious iMessage attachment sent to the target, while the entire chain is clickless, meaning it requires no user interaction and generates no signs or traces visible.
Kaspersky discovered the attack within its own network, and the Russian intelligence service (FSB) immediately accused Apple of providing the NSA with a backdoor against the Russian government and embassy staff.
So far, the origin of the attacks remains unknown and there is no evidence for these allegations.
Apple fixed the two then-recognized zero-day flaws (CVE-2023-32434 and CVE-2023-32435) on June 21, 2023, with the release of iOS/iPadOS 16.5.1 and iOS/iPadOS 15.7.7.
Very sophisticated attacks
Among the above flaws, CVE-2023-38606, which was patched on July 24, 2023 with the release of iOS/iPadOS 16.6, is the most intriguing for Kaspersky analysts.
Exploitation of this flaw allows an attacker to bypass hardware protection of Apple chips that prevents attackers from gaining complete control over the device when gaining read and write access to kernel memory, thus which was obtained thanks to the separate vulnerability CVE-2023-32434.
In the in-depth technical description, Kaspersky explains that CVE-2023-38606 targets unknown MMIO (memory mapped I/O) registers in Apple A12-A16 Bionic processors, likely related to the chip’s GPU coprocessor, which are not listed . in the device tree.
The Triangulation operation uses these registers to manipulate hardware functionality and control direct memory access during the attack.
“If we try to describe this feature and how attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing hardware memory protection by writing the data, l “destination address., and hashing data to unknown hardware registers on the chip not used by the firmware,” the Kaspersky report explains.
Kaspersky speculates that the inclusion of this undocumented hardware feature in the final consumer version of the iPhone is either a mistake or was left in to help Apple engineers with debugging and testing.
Apple fixed the flaw by updating the device tree to restrict physical address mapping.
However, how the attackers gained knowledge of such an obscure exploitable mechanism remains unknown.
Gn En tech