NEWS  Security  January 2, 2024  Reading time: 2 Minute(s)

Max (RS editor)

The Kaspersky Global Research and Analysis Team (GReAT) has unearthed an obscure hardware feature in Apple's iPhone, likely exploited by hackers in a sophisticated spyware campaign known as Operation Triangulation. The campaign, active since 2019, specifically targeted iOS devices using zero-click exploits via iMessage, allowing attackers to gain unauthorized control and access to user data.

The hidden hardware vulnerability, not publicly documented until now, is believed to be part of Apple's system-on-a-chip (SoC), possibly included for debugging or testing purposes. Despite its intended purpose, this feature inadvertently provided a gateway for attackers to bypass security measures and compromise devices, specifically those owned by senior employees at Kaspersky.

Operation Triangulation came to light when Kaspersky researchers identified that their employees' iPhones had fallen victim to spyware. The cybersecurity vendor conducted in-depth research into the operation, culminating in a presentation titled "Operation Triangulation: What You Get When Attack iPhones of Researchers", shared at the 37th Chaos Communication Congress.

 THE GFX-ASC MMIO AND ITS CORRELATION WITH THE ADDRESSES USED BY HACKERS [IMAGE CREDITS: KASPERSKY] 

During the presentation, researchers highlighted the exploitation of multiple iOS zero-day vulnerabilities, including a critical issue in Apple's ADJUST TrueType font instruction. These vulnerabilities facilitated the execution of code and the installation of a stealthy spyware implant known as TriangleDB, with attackers using malicious iMessage attachments to exploit a remote code execution zero-day.

The most critical vulnerability enabled a JavaScript exploit to bypass the Page Protection Layer. The attackers executed a complex infection chain, involving multiple checks and log-erasing actions to prevent malware identification. Kaspersky termed it the most sophisticated attack chain they had ever witnessed.

The hardware feature exploited in this attack allowed the overriding of hardware-based security protecting the kernel, the core component of an operating system. Attackers could manipulate specific physical addresses, bypassing hardware-based memory protection by writing data to unknown hardware registers unused by the firmware.

The attackers exploited MMIO registers from the GPU coprocessor, bypassing Apple's DeviceTree ranges to write to memory, bypass protections, and achieve Remote Code Execution (RCE). Apple responded promptly by releasing security updates to address four zero-day vulnerabilities affecting various Apple products.

Despite these efforts, many questions remain unanswered, such as the purpose of this feature, how attackers learned to exploit it, and whether it was developed by Apple or a third-party component like ARM CoreSight. The discovery highlights the ongoing challenges in ensuring the security of Apple's ecosystem and underscores the need for continuous vigilance and prompt response to emerging threats.

 COVER IMAGE BY FLATART / REVIEW SPACE