The findings came as part of Operation Triangulation, months after Kaspersky discovered that their employees’ iPhones had been hacked by spyware.
Kaspersky Global Research and Analysis Team (GReAT) has discovered an obscure hardware feature likely exploited by hackers during spyware attacks against iPhone users.
The attacks were part of an APT campaign dubbed Operation Triangulation, which has been active since 2019, targeting iOS devices Using zero-click exploits via iMessage, allowing attackers to gain control and access user data. It was discovered by Kaspersky this summer.
The yet publicly undocumented feature is a part of Apple’s system-on-a-chip (SoC) and was probably included in the iPhone for debugging or testing purposes by Apple engineers, or added in the final consumer version mistakenly. Nevertheless, it allowed attackers to bypass protections and hijack devices in attacks targeting Kaspersky senior employees’ iPhones.
The research into Operation Triangulation was conducted by the cybersecurity vendor, Kaspersky. It is worth noting that the operation kicked off when Kaspersky researchers identified that their employees’ iPhones were hacked by spyware.
On December 27, 2023, the company shared the findings in a presentation titled “Operation Triangulation: What You Get When Attack iPhones of Researchers” at the 37th Chaos Communication Congress held in Hamburg and published in a report authored by Boris Larin.
During the presentation, researchers explained that multiple iOS zero-day vulnerabilities (including an RCE issue in Apple’s ADJUST TrueType font instruction CVE-2023-41990 and CVE-2023-38606, a bypass of hardware-based security protections) were exploited to execute code and install a stealthy spyware implant, known as TriangleDB.
These vulnerabilities were used to target iPhones running iOS versions up to iOS 16.6. The most critical of these was CVE-2023-38606 for allowing a JavaScript exploit to bypass the Page Protection Layer.
The attackers used malicious iMessage attachments to exploit a remote code execution zero-day and deploy TriangleDB without user interaction. The infection chain involved multiple checks and log-erasing actions to prevent malware identification. Researchers discovered new attacks/exploits daily, calling it the most sophisticated chain of attack they had ever witnessed.
“We have discovered and reported more than thirty in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products, but this is the most sophisticated attack chain we have ever seen.”
Kaspersky – GReAT
The obscure feature allowed overriding of hardware-based security to protect the kernel, the core part of an operating system. Attackers could then write data to a specific physical address while “bypassing hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.”
The attackers exploited MMIO registers from the GPU coprocessor, bypassing Apple’s DeviceTree ranges to write to memory, bypass protections, and achieve RCE.
Apple responded by releasing security updates to address four zero-day vulnerabilities impacting various Apple products: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990.
However, there are still many unanswered questions, such as the purpose of this feature, how attackers learned to use it considering that the firmware didn’t use it and whether it was developed by Apple or a third-party component like ARM CoreSight.