Kaspersky’s Global Research and Analysis Team (GReAT) disclosed a hidden hardware feature in Apple iPhones, crucial for the Operation Triangulation campaign. The team shared this discovery at the 37th Chaos Communication Congress in Hamburg.
Kaspersky’s GReAT team found a vulnerability in Apple’s System on a chip, or SoC, that enabled the recent iPhone attacks, known as Operation Triangulation, to bypass the hardware-based memory protection on iPhones running iOS versions up to iOS 16.6.
The vulnerability is a hardware feature, possibly for testing or debugging, based on “security through obscurity.” After the initial 0-click iMessage attack and privilege escalation, the attackers used this feature to bypass hardware-based security and change the protected memory regions. This was essential for gaining full control over the device. Apple fixed the issue, labeled as CVE-2023-38606.
Kaspersky said this feature was not public, making it hard to detect and analyze with usual security methods. GReAT researchers did extensive reverse engineering, carefully analyzing the iPhone’s hardware and software, especially the Memory-Mapped I/O, or MMIO, addresses, which are important for communication between the CPU and other devices in the system. Unknown MMIO addresses, used by the attackers to bypass the hardware-based kernel memory protection, were not in any device tree ranges, making it harder. The team also had to understand the complex workings of the SoC and its interaction with the iOS, especially about memory management and protection. This involved examining various device tree files, source codes, kernel images, and firmware, to find any reference to these MMIO addresses.
“This is not a normal vulnerability. The iOS ecosystem is closed, so the discovery was challenging and time-consuming, needing a deep understanding of both hardware and software. This discovery shows us again that even advanced hardware-based protections can be ineffective against a sophisticated attacker, especially when there are hardware features that can bypass them,” says Boris Larin, Principal Security Researcher at Kaspersky’s GReAT.
“Operation Triangulation” is an Advanced Persistent Threat (APT) campaign targeting iOS devices, discovered by Kaspersky earlier this summer. This complex campaign uses zero-click exploits via iMessage, allowing attackers to take over the device and access user data. Apple released security updates to fix four zero-day vulnerabilities found by Kaspersky researchers: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990. These affect many Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch. Kaspersky also told Apple about the hardware feature exploitation, leading to its mitigation by the company.