Kaspersky's Global Research and Analyses Team (GReAT) has unveiled a previously unknown hardware feature in Apple iPhones, pivotal to the recent Operation Triangulation campaign. The team presented this discovery at the 37th Chaos Communication Congress in Hamburg.

The researchers discovered a vulnerability in Apple System on a chip, or SoC, that has played a critical role in the recent iPhone attacks, known as Operation Triangulation, allowing attackers to bypass the hardware-based memory protection on iPhones running iOS versions up to iOS 16.6.

The discovered vulnerability is a hardware feature, possibly based on the principle of "security through obscurity," which may have been intended for testing or debugging. Following the initial 0-click iMessage attack and subsequent privilege escalation, the attackers leveraged this hardware feature to bypass hardware-based security protections and manipulate the contents of protected memory regions. This step was crucial for obtaining full control over the device. Apple addressed the issue, identified as CVE-2023-38606.

As far as Kaspersky is aware, this feature was not publicly documented, presenting a significant challenge in its detection and analysis using conventional security methods. GReAT researchers engaged in extensive reverse engineering, meticulously analyzing the iPhone's hardware and software integration, particularly focusing on the Memory-Mapped I/O, or MMIO, addresses, which are critical for facilitating efficient communication between the CPU and peripheral devices in the system. Unknown MMIO addresses, used by the attackers to bypass the hardware-based kernel memory protection, were not identified in any device tree ranges, presenting a significant challenge. The team had to also decipher the intricate workings of the SoC and its interaction with the iOS operating system, especially regarding memory management and protection mechanisms. This process involved a thorough examination of various device tree files, source codes, kernel images, and firmware, in a quest to find any reference to these MMIO addresses.

"This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures," said Boris Larin, principal security researcher at Kaspersky's GReAT. "What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections."

"Operation Triangulation" is an Advanced Persistent Threat (APT) campaign targeting iOS devices, uncovered by Kaspersky this past summer. This sophisticated campaign employs zero-click exploits distributed via iMessage, enabling attackers to gain complete control over the targeted device and access user data. Apple responded by releasing security updates to address four zero-day vulnerabilities identified by Kaspersky researchers: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990. These vulnerabilities impact a broad spectrum of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch. Kaspersky also informed Apple about the exploitation of the hardware feature, leading to its subsequent mitigation by the company.

To learn more about Operation Triangulation and the technical details behind the analysis, read the report on Securelist.com.