The Global Research and Analysis Team (GReAT) from Kaspersky has publicised the existence of an unknown hardware feature in Apple iPhones that played a pivotal role in the Operation Triangulation campaign. This significant finding was announced during the 37th Chaos Communication Congress held in Hamburg.
A vulnerability was identified in Apple's System on a Chip (SoC), facilitating recent iPhone attacks known as Operation Triangulation. This vulnerability, located within the hardware itself, permitted attackers to bypass Apple's hardware-based memory protection on iPhones running iOS versions up to 16.6. The vulnerability was found to be a hardware feature, potentially based on the principle of security through obscurity, and might have been intended for testing or debugging.
Attackers used this hardware feature to bypass hardware-based security measures and manipulate the contents of secure memory regions following an initial 0-click iMessage attack and subsequent privilege escalation. This action allowed them to gain full control over the device. The issue was addressed by Apple and has been identified as CVE-2023-38606.
Detection of this feature was a significant challenge as the feature was not publicly documented. Conventional security methods proved ineffective, urging the GReAT researchers to extensively reverse-engineer, analysing the iPhone's hardware and software integration. Boris Larin, Principal Security Researcher at Kaspersky's GReAT, stressed, "What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections."
Operation Triangulation, uncovered by Kaspersky earlier this year, is an Advanced Persistent Threat (APT) campaign targeting iOS devices. This campaign used sophisticated zero-click exploits distributed via iMessage, enabling attackers to gain complete control over the targeted device and consequently access user data. Security updates were released by Apple to address the four zero-day vulnerabilities identified by Kaspersky researchers. These vulnerabilities impacted various Apple products such as iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch. Kaspersky also notified Apple about the exploitation of the hardware feature, resulting in its eventual mitigation by the company.
Kaspersky suggests several preventive measures against targeted attacks by known or unknown threat actors. These suggestions include the regular update of your operating system, applications, and antivirus software to patch any known vulnerabilities. It is also important to provide your Security Operations Centre (SOC) team with access to the most recent threat intelligence. Upskill your cybersecurity team to deal with the latest targeted threats with Kaspersky's online training, developed by GReAT experts. On an endpoint level, investigate alerts and threats identified by security controls with Kaspersky's Incident Response and Digital Forensics services for deep insights.