Undocumented Hardware Feature Exploited in iPhone Triangulation Attack

December 27, 2023

The Operation Triangulation spyware has been targeting iPhone users since 2019, exploiting an undocumented feature in Apple chips to circumvent hardware-based security. Kaspersky researchers have spent over a year reverse-engineering the sophisticated attack chain, which they first identified in June 2023. The use of obscure hardware features, likely intended for debugging and factory testing, suggests the involvement of a highly skilled threat actor. The campaign serves as a stark reminder of the dangers of relying on security through obscurity or the secrecy of hardware design and implementation.

Operation Triangulation is a spyware campaign that targets Apple iPhone devices by exploiting four zero-day vulnerabilities. These vulnerabilities are linked together to create a zero-click exploit that enables attackers to increase their privileges and execute code remotely. The four flaws, which were effective on all iOS versions up to 16.2, are initiated with a malicious iMessage attachment sent to the target. The entire chain requires no user interaction and leaves no noticeable traces.

The attack was first discovered by Kaspersky within its own network. Following the discovery, Russia's intelligence service (FSB) accused Apple of providing the NSA with a backdoor against Russian government and embassy personnel. However, the origin of the attacks remains uncertain, and there is no evidence to support these claims. Apple addressed the two initially recognized zero-day flaws (CVE-2023-32434 and CVE-2023-32435) on June 21, 2023, with the release of iOS/iPadOS 16.5.1 and iOS/iPadOS 15.7.7.

The most intriguing flaw for Kaspersky's analysts was CVE-2023-38606, which was fixed on July 24, 2023, with the release of iOS/iPadOS 16.6. This flaw, when exploited, allows an attacker to bypass hardware protection on Apple chips that prevent attackers from obtaining full control over the device when they achieve read and write access to the kernel memory, accomplished using the separate CVE-2023-32434 flaw.

Kaspersky's in-depth technical analysis reveals that CVE-2023-38606 targets unknown MMIO (memory-mapped I/O) registers in Apple A12-A16 Bionic processors, likely connected to the chip's GPU co-processor, which are not listed in the DeviceTree. Operation Triangulation leverages these registers to manipulate hardware features and manage direct memory access during the attack. Kaspersky's report states, "If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware."

Kaspersky theorizes that the presence of this undocumented hardware feature in the final consumer version of the iPhone is either an oversight or was left in to aid Apple engineers in debugging and testing. Apple fixed the flaw by updating the device tree to limit physical address mapping. However, how the attackers discovered such a hidden exploitable mechanism in the first place remains a mystery.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.