Researchers on Wednesday backdoored dozens, if not thousands, of iPhones over a four-year period, many of them owned by employees of the Moscow-based security firm Kaspersky. announced some interesting new research into the attacks. The most important of the findings was that an unknown attacker was able to exploit a vulnerability in an undocumented hardware feature that almost no one outside of chip suppliers such as Apple and ARM Holdings knew about. We were able to achieve an unprecedented level of access.
“The sophistication of the exploit and the unclear functionality suggest that the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis does not reveal how they became aware of this feature, but we investigated all possibilities, including accidental disclosure in past firmware or source code releases. It’s also possible that they discovered it by accident through reverse engineering the hardware.”
Four zero-days were exploited over the years
Larin wrote that despite nearly 12 months of intensive investigation, other questions remain unanswered. Beyond how the attackers learned of this hardware feature, researchers still don’t know exactly what its purpose is. It is also unclear if this feature is a native part of his iPhone or if he is enabled by a third-party hardware component such as ARM’s CoreSight.
The large-scale backdoor operation, which infected the iPhones of thousands of people working in Russian diplomatic missions and embassies, was discovered in June, Russian government officials said. Kaspersky says that for at least four years, the infections were delivered in his iMessage texts and installed malware through his chain of complex exploits without the recipient taking any action.
This infected the device with full-featured spyware and, among other things, sent microphone recordings, photos, location information, and other sensitive data to attacker-controlled servers. Although the infection did not survive the reboot, the unknown attacker continued his campaign by simply sending new malicious iMessage texts to the device immediately after the device rebooted.
New details revealed on Wednesday show that “Triangulation” (the name Kaspersky has given both the malware and the campaign that installed it) exploits four critical zero-day vulnerabilities, leading to attacks. This means that there was a serious programming flaw before anyone knew about it. To Apple. The company has since patched all four of his vulnerabilities, and they are tracked as follows:
These important zero-day features and secret hardware features not only affect the iPhone, but are also present on the Mac, iPod, iPad, Apple TV, and Apple Watch. Furthermore, the exploit recovered by Kaspersky Lab was intentionally developed to work on these devices as well. Apple has also patched these platforms.
Detecting infection is extremely difficult, even for those with advanced forensic expertise. For those who want to try it out, here is a list of Internet addresses, files, and other indicators of compromise. here.
Mysterious iPhone feature turns out to be crucial to Triangulation’s success
The most interesting new detail targets a previously unknown hardware feature that turned out to be critical to the Operation Triangulation campaign. This zero-day feature allowed attackers to bypass advanced security. Hardware-based memory protection It is designed to protect device system integrity even after an attacker is able to modify the underlying kernel’s memory. On most other platforms, an attacker who successfully exploits a kernel vulnerability can gain complete control of a compromised system.
On Apple devices with these protections, such attackers can employ important post-exploitation techniques, such as injecting malicious code into other processes or modifying kernel code or sensitive kernel data. cannot be executed. This strong protection was bypassed by exploiting a vulnerability in the secret function. This protection also exists in Apple’s M1 and M2 CPUs, although few exploits discovered so far have broken it.
Kaspersky researchers learned of the secret hardware feature only after months of extensive reverse engineering of Triangulation-infected devices. During the course, researchers focused on so-called hardware registers that provide memory addresses to the CPU to communicate with peripheral components such as USB, memory controllers, and GPUs. MMIO stands for Memory-mapped Input/Outputs, which allows the CPU to write to specific hardware registers on specific peripherals.
Researchers discovered that some of the MMIO addresses used by the attackers to bypass memory protection were not identified in any files. Device tree documentation, serves as a reference for engineers creating hardware or software for the iPhone. Even after researchers further examined the source code, kernel images, and firmware, they were unable to find any mention of MMIO addresses.