The discovery of a vulnerability within Apple's System on a Chip (SoC) has been identified as a critical factor in recent iPhone attacks under the banner of Operation Triangulation. This flaw enabled attackers to circumvent the hardware-based memory protection on iOS devices up to version 16.6, as revealed in a new report.
Kaspersky, a global cybersecurity firm, unveiled this vulnerability, suggesting it might be a hardware feature potentially built on the principle of “security through obscurity,” possibly intended for testing or debugging purposes.
Following a 0-click iMessage attack and subsequent privilege escalation, attackers utilized this hardware feature to surpass the hardware-based security measures, manipulating protected memory regions crucial for gaining full control over the device. Apple addressed this issue, identified as CVE-2023-38606, in response to the discovery.
Boris Larin, Principal Security Researcher at Kaspersky’s GReAT, highlighted the complexity of uncovering this vulnerability due to the closed nature of the iOS ecosystem. Larin emphasized that even sophisticated hardware-based protections can be rendered ineffective against a highly skilled attacker, especially in the presence of features allowing bypassing these protections.
The feature in question lacked public documentation, posing a significant challenge in detection and analysis using conventional security methods. Researchers undertook extensive reverse engineering, meticulously examining the iPhone's hardware-software integration, with specific focus on Memory-Mapped I/O (MMIO) addresses crucial for efficient CPU-to-device communication.
The attackers leveraged unknown MMIO addresses to bypass hardware-based kernel memory protection, which were not discerned within any device tree ranges, presenting a significant challenge in detection, as outlined in the report.
Operation Triangulation constitutes an Advanced Persistent Threat (APT) campaign targeting iOS devices. This sophisticated campaign employs zero-click exploits distributed via iMessage, granting attackers complete control over the targeted device and access to user data.
(With Agency Inputs)
ALSO READ | Apple Resumes Sales of Watch Series 9 and Ultra 2 After US Ban is Lifted
ALSO READ | Apple Appeals US Ban on Watch Series 9 and Ultra 2
