Unraveling the Operation Triangulation Spyware: A Deep Dive into iPhone Exploits

Since 2019, the Operation Triangulation spyware has targeted iPhone devices, exploiting undocumented features within Apple chips to bypass robust hardware-based security measures. Over the past year, Kaspersky analysts have meticulously reverse-engineered this intricate attack chain, shedding light on its complexities since its discovery in June 2023.

Exploitation of Obscure Hardware Features: Operation Triangulation represents a sophisticated attempt by threat actors to leverage obscure hardware features, potentially reserved for debugging and factory testing. This discovery underscores the limitations of relying on security through obscurity and the secrecy surrounding hardware design or testing implementations.

The Attack Chain: Employing a series of four zero-day vulnerabilities, Operation Triangulation crafts a zero-click exploit, allowing attackers to elevate privileges and execute remote code on iPhone devices. These vulnerabilities, effective up to iOS 16.2, include the following flaws:

  • CVE-2023-41990: A vulnerability in the ADJUST TrueType font instruction allowing remote code execution through a malicious iMessage attachment.
  • CVE-2023-32434: An integer overflow issue in XNU’s memory mapping syscalls, granting attackers extensive read/write access to the device’s physical memory.
  • CVE-2023-32435: Used in the Safari exploit to execute shellcode as part of the multi-stage attack.
  • CVE-2023-38606: A vulnerability using hardware MMIO registers to bypass the Page Protection Layer (PPL), overriding hardware-based security protections.

Zero-Click Exploits: The attack commences with a malicious iMessage attachment sent to the target. Notably, the entire chain is zero-click, requiring no user interaction and leaving no noticeable signs or traces.

Attribution and Allegations: Kaspersky discovered the attack within its network, prompting accusations from Russia’s intelligence service (FSB) against Apple. They allege a backdoor provided to the NSA against Russian government and embassy personnel. However, the origin of the attacks remains unknown, and no evidence supports these allegations.

Apple’s Response: Apple addressed the recognized zero-day flaws on June 21, 2023, with the release of iOS/iPadOS 16.5.1 and iOS/iPadOS 15.7.7. The most intriguing flaw, CVE-2023-38606, was fixed on July 24, 2023, with the release of iOS/iPadOS 16.6. This flaw allowed attackers to bypass hardware protections on Apple chips, gaining complete control over the device.

Technical Insights: CVE-2023-38606 targeted undocumented MMIO registers in Apple A12-A16 Bionic processors, potentially linked to the chip’s GPU co-processor. Operation Triangulation utilized these registers to manipulate hardware features, controlling direct memory access during the attack. Kaspersky suggests that the inclusion of this undocumented hardware feature in the consumer iPhone version may be a mistake or left intentionally for debugging and testing purposes.

Conclusion: The Operation Triangulation spyware exposes the exploitation of hidden hardware features in Apple chips, highlighting the vulnerability of relying on obscurity for security. Apple’s prompt response in fixing identified flaws underscores the ongoing challenges in safeguarding devices against highly sophisticated attacks. The mystery surrounding how attackers gained knowledge of such obscure exploitable mechanisms remains unresolved.

source: https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/