A previously unknown hardware feature in Apple iPhones, pivotal in the Operation Triangulation campaign was recently exposed. The feature was exposed by Kaspersky’s Global Research and Analysis Team (GReAT), at the 37th Chaos Communication Congress in Hamburg.
Kaspersky’s research team disclosed that this is one of the most sophisticated attack chain they have witnessed to date.
The vulnerability of the Apple System was discovered on a chip, or SoC, that has played a critical role in the recent iPhone attacks known as “Operation Triangulation”, allowing attackers to bypass the hardware-based memory protection on iPhones running iOS versions up to iOS 16.6.
“Operation Triangulation” is an Advanced Persistent Threat (APT) campaign targeting iOS devices. This sophisticated campaign employs zero-click and exploits distributed via iMessage, which then allows attackers to gain complete control over the targeted device and access user data.
Apple responded to the attacks, by releasing security updates to address four zero-day vulnerabilities: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990.
These vulnerabilities impact a broad spectrum of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch.
The discovered vulnerability is a hardware feature, possibly based on the principle of of “security through obscurity”, and may have been intended for testing or debugging.
Following the initial 0-Click iMessage attack and subsequent privilege escalation, it was found that the attackers leveraged this hardware feature to bypass hardware-based security protections and manipulate the contents of protected memory regions. This was found to be a crucial step to obtaining full control over the device. Apple addressed the issue, identified as CVE-2023-38606.
Because the feature was not publicly documented, it presented a significant challenge in its detection and analysis using conventional security methods.
Boris Larin, Principal Security Researcher at Kaspersky’s GReAT, explains, “This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures.
“What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of sophisticated attacker, particularly when there are hardware features allowing to bypass these protections.”