In drawing the conclusions of an investigation that lasted over 12 months, Kaspersky painted the dark picture that characterizes Operation Triangulation. In this case, the criminals managed to launch cyber attacks zero-click that is, they arranged for the automatic execution of malicious code on the victims’ iPhones simply by sending “ad hoc” iMessage communications.
The experts of Global Research and Analysis Team (GReAT) in Kaspersky found that a previously unknown hardware feature became critical to the success of the campaign known as Operation Triangulation. A vulnerability in the SoC (System-on-a-Chip) from Apple, allowed remote attackers to bypass the memory protection at a hardware level on iPhones using iOS versions up to release 16.6.
What is of concern is that the hardware security problem detected by Kaspersky would have been exploited for at least four years (therefore already since 2019) to conduct targeted attacks to leading individuals and high profile companies.
Hardware vulnerability in Apple SoCs used to push control of iPhones
The security gap in question is based on the concept of “security through oscurity”: rather than the strength of algorithms or the complexity of cryptographic keys, protection relies on its key components being hidden or unknown to the public or users. It is a scheme that experts have always suggested avoiding because it involves obvious intrinsic risks.
Yet, as Kaspersky explains, after the initial attack on iMessage using a zero-click vulnerability (it is called this because it comes into operation immediately, without requiring the user’s intervention or interaction…), the attackers have actually leveraged the hardware function integrated into the Apple SoC to bypass the security protections and alter the content of the protected memory areas. This step proved crucial in order to take full control of the device. Apple has fixed the problem, identified as CVE-2023-38606.
The GReAT team researchers engaged in in-depth research reverse engineeringmeticulously analyzing the hardware and software integration of the iPhone, focusing in particular on addresses Memory-Mapped I/O (MMIO), essential to facilitate efficient communication between the CPU and peripheral devices. The MMIO addresses previously unknown, were used by attackers to bypass the memory protection of the kernel implemented in hardware.
“This is no ordinary vulnerability, and due to the closed nature of the iOS ecosystem, the analysis process proved to be very challenging, requiring an in-depth understanding of Apple’s hardware and software architectures. This discovery teaches us once again that even advanced hardware-based protections can be rendered ineffective by attackers who have advanced and sophisticated skills, particularly when there are hardware features that allow the protections to be bypassed“, commented Boris LarinPrincipal Security Researcher del Kaspersky GReAT.
The identikit of Operation Triangulation
Baptised Operation Triangulationcountryside APT (Advanced Persistent Threat) discovered in June 2023 by Kaspersky, it is designed to specifically target iOS devices. Using a “chain of vulnerabilities”, now fixed by Apple technicians, attackers can gain complete control of other people’s devices and access the personal and confidential data of each user.
Apple has released the security updates to resolve four zero-day vulnerabilities at the base of the campaign carried out by cyber criminals: the identifiers of the problems resolved in the Cupertino company’s products are CVE-2023-32434, CVE-2023-32435, CVE-2023-38606 and CVE- 2023-41990.
The vulnerabilities impact a wide range of products, including iPhone, iPod, iPad, macOS devices, Apple TV and Apple Watch. Kaspersky obviously informed Apple about the exploitation of the hardware issue, contributing to the resolution of the main problem.
Downstream of the infection, they were loaded onto the devices spyware components which, among other things, transmitted microphone recordings, photos, geolocation data and other personal information to remote servers. Even if the infections did not survive a smartphone reboot, the attackers kept their attack alive by simply sending Apple devices a new iMessage shortly after the reboot.
Larin admitted that some “mysterious” aspects still remain without a definitive answer. It is not known how the attackers learned of the existence of the “incriminated” hardware function nor whether it is a native feature of iPhones or whether it is enabled by a third-party hardware component such as ARM CoreSight.
The opening image is taken from “In search of the Triangulation: triangle_check utility” (Kaspersky).