Front page layout
Site Theme
Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.
“The sophistication of the exploit and the obscurity of the capability suggest that the attackers had complex technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our investigation did not reveal how they became aware of this feature, but we are exploring all possibilities, adding accidental revelations in past versions of firmware or source code. Possibly they would have also stumbled upon it thanks to non-hardware engineering.
Other questions remain unanswered, Larin writes, even after about 12 months of extensive research. Aside from how the attackers discovered this feature of the hardware, researchers still don’t know exactly what their goal is. It’s also unclear if the feature is a local component of the iPhone or if it’s enabled through a third-party hardware component, such as ARM’s CoreSight.
The devices were infected with comprehensive spyware that, among other things, transmitted recordings of microphones, photographs, geolocation, and other sensitive data to servers controlled by attackers. Although the infections didn’t reboot, the unknown attackers kept their crusade alive by simply shipping the devices. a new malicious iMessage text shortly after restarting the devices.
A fresh infusion of details disclosed Wednesday said that “Triangulation”—the name Kaspersky gave to both the malware and the campaign that installed it—exploited four critical zero-day vulnerabilities, meaning serious programming flaws that were known to the attackers before they were known to Apple. The company has since patched all four of the vulnerabilities, which are tracked as:
In addition to affecting iPhones, those zero-days and the secret hardware feature resided on Macs, iPods, iPads, Apple TVs, and Apple Watches. In addition, exploits recovered through Kaspersky were deliberately evolved to be reflected on those devices as well. Apple has patched those platforms as well. Apple declined to comment for this article.
Detecting infections is incredibly difficult, even for others with complex forensic expertise. For those who need to give it a try, here you can find a list of addresses, files, and other signs of compromise.
The most intriguing new detail is the targeting of a previously unknown hardware feature, which turned out to be indispensable to the Operation Triangulation campaign. A zero-day capability allowed attackers to bypass complex memory hardware protections designed to safeguard integrity. of the device’s system, even after an attacker has acquired the ability to alter the memory of the underlying kernel. On most other platforms, once attackers have effectively exploited a kernel vulnerability, they have completed the compromised system.
On Apple devices equipped with such covers, those attackers are still unable to execute key post-exploitation techniques, such as injecting malicious code into other processes or modifying sensitive data or kernel code. This harsh cover was circumvented by exploiting a vulnerability in the secret function. The protection, rarely surpassed by the exploits discovered so far, is also provided on Apple M1 and M2 processors.
Kaspersky researchers only discovered the hardware secret service after months of intensive engineering of infected devices with triangulation. During the course, the researchers’ attention was focused on so-called hardware logins, which provide memory addresses for processors to interact with. with peripheral components such as USB, memory controllers and GPU. MMIOs, short for memory mapped inputs/outputs, allow the processor to write to the fast hardware input of a fast device.
The researchers found that many of the MMIO addresses used by attackers to evade memory protections were known in any device tree, a machine-readable description of a specific set of hardware that can be useful for other engineering. Even after the researchers reviewed the source codes, kernel images, and firmware, they still couldn’t locate any mention of MMIO addresses.
Join the Ars Orbital Transmission email to receive weekly updates in your inbox. Sign up →