Kaspersky Exposes Secret iPhone Feature Hackers Used To Spy On Apple Devices

chain kaspersky researchers disclose details about operation triangulation
Earlier in the year, Apple fixed several vulnerabilities, which, when exploited, allowed Operation Triangulation spyware to make its way onto devices with zero interaction required. Since then, researchers have been uncovering all the components that made up the attack chain for the spyware campaign, and what they discovered is rather concerning.

Operation Triangulation was a spyware campaign that was discovered and reported on in June of this year by researchers at Kaspersky. It worked by sending a malicious iMessage attachment to the victim, which would be processed by the application without any notice to the user. From there, the attachment enabled remote code execution by exploiting CVE-2023-41990, a vulnerability in Apple’s undocumented ADJUST TrueType font instruction. Then, read and write access is gained to the entire physical memory of the device at the user level using CVE-2023-32434, and a bypass for the Page Protection Layer, which is a protection for kernel memory access, is leveraged.

At this point, an attacker could do anything they wanted on a device with full access, including running spyware. However, this attack chain is not complete as the attackers clean up exploitation artifacts from the device and use Safari to verify the victim and execute shellcode using CVE-2023-32435. This shellcode exploits two more security vulnerabilities to obtain root privilege and loads other malware stages.

chain kaspersky researchers disclose details about operation triangulation

While this is rather complex, as the image above from Kasperksy suggests, the most curious piece that researchers note surrounds CVE-2023-38606. This vulnerability allows an exploiter to bypass hardware-based security protection thanks to a hardware feature of Apple-designed SoCs. It is described as attackers “are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.” The researchers at Kaspersky believe that this was meant to be a debugging or testing feature not meant to be shipped with the final product, and that they “have no idea how attackers would know how to use it.”

This may imply that there may have been an insider threat of some sort or that Apple was breached, but there is no real way to know. Regardless, it is quite a curious situation as attackers would not know how to use that feature, let alone know it exists. In any event, if you want to read the technical details, the researchers have published them to get verification from other iOS security researchers. At the end of the day, this is “definitely the most sophisticated attack chain” Kaspersky has ever seen, and an extra set of eyes could prove valuable.