One of the most refined iPhone hacks of the last 4 years attacks smartphones of Russian diplomats and Kaspersky employees

• Ігор Сушон
• 28.12.2023
• Categories: News
• Tags: Apple, Hacker attacks, iPhone, Smartphones

Another story about the hacking of an iPhone was told by employees of Kaspersky, a well-known Russian anti-virus software developer. According to them, both Russian diplomatic officials and Kaspersky employees were attacked.

The details of the event were described by Ars Technica.

The Triangulation campaign, as the researchers called the hack, has been going on for four years. It was disclosed to the public in June, and a year into the investigation, the company has not come to a conclusion about the purpose of the attack or how the attackers learned about its possibility.

Through an iMessage message that did not require any user interaction, the hackers were able to obtain microphone recordings, photos, location, and other data from the infected devices. At the same time, the virus did not survive a smartphone reboot, although nothing prevented the hackers from resending the desired message and continuing to monitor the victims.

For this purpose, both undocumented hardware in devices and zero-day vulnerabilities were used.

“The exploit’s sophistication and the feature’s obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis hasn’t revealed how they became aware of this feature, but we’re exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering.”

The zero-day vulnerabilities used for the attacks include the following: 

• CVE-2023-32434 
• CVE-2023-32435 
• CVE-2023-38606 
• CVE-2023-41990

All of this together could also be used on Macs, iPods, iPads, Apple TV, and Apple Watches. However, Apple has now released updated security patches that close these loopholes.

However, the most interesting thing about this campaign is the use of a hitherto undocumented hardware feature of the devices, which played a key role in this case. It is noted that only Apple employees or suppliers like Arm could know about it. Larin assumes that the component is used for testing, or even accidentally got into the final devices.

By exploiting zero-day vulnerabilities, attackers were able to bypass modern hardware memory protection designed to ensure the system integrity of the device even after the attacker has gained access to the underlying kernel memory. On most other platforms, if an attacker successfully exploits a kernel vulnerability, they gain full control of the compromised system.

In Apple devices, this protection was circumvented by exploiting a vulnerability in a secret function, which allowed malicious code to be injected into other processes, modifying the kernel code or sensitive kernel data.

“If we try to describe this feature and how attackers use it, it all comes down to this: attackers are able to write the desired data to the desired physical address with [the] bypass of [a] hardware-based memory protection by writing the data, destination address and hash of data to unknown, not used by the firmware, hardware registers of the chip.
Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or was included by mistake. Since this feature is not used by the firmware, we have no idea how attackers would know how to use it,” Larin added.

The chain of exploits was also discovered. It all started with CVE-2023-41990, a vulnerability in Apple’s TrueType font implementation. It used ROP and JOP techniques to bypass security, which allowed remote code execution, albeit with minimal system privileges. 

Next up is the iOS kernel. Manipulations with it became possible due to the vulnerabilities CVE-2023-32434 (a memory corruption vulnerability in XNU) and CVE-2023-38606 (a vulnerability located in secret MMIO registers). Next, the Safari vulnerability CVE-2023-32435 was used to execute the command code. This code returned to CVE-2023-32434 and CVE-2023-38606 to still gain root access, which was necessary to install the latest spyware.

When Kaspersky reported Operation Triangulation and an attack on the company’s employees’ smartphones in June, Russia’s National Coordination Center for Computer Incidents said that such attacks were part of a broader campaign by the US National Security Agency against diplomatic representatives. The FSB has also accused Apple of cooperating with the NSA. However, Kaspersky commented that there was no evidence of NSA or Apple involvement in the attack:

“Currently, we cannot conclusively attribute this cyberattack to any known threat actor,” Larin wrote in the email. “The unique characteristics observed in Operation Triangulation don’t align with patterns of known campaigns, making attribution challenging at this stage.”

Apple itself did not comment on the details of the attack, but a company spokesperson also denied Apple’s involvement.