Researchers from Kaspersky have published new technical details on Operation Triangulation, an extremely sophisticated iOS spyware attack uncovered earlier this year. The attack exploited multiple zero-day vulnerabilities to silently compromise iPhones and install spyware without any user interaction.
According to the researcher, the malware was initially delivered to iPhones via malicious iMessages. The messages contained exploits that silently jailbroke devices without any user interaction, allowing the attackers to install spyware that harvested data including recordings, photos, location and more.
Even after infected iPhones were rebooted, the attackers sent new messages to re-exploit them. This allowed the campaign to persist undetected for years.
Analysis by Kaspersky revealed Operation Triangulation utilized an extremely advanced four-zero-day exploit chain to bypass iPhone security protections and achieve full system compromise. The company has since patched all four of the vulnerabilities, which are tracked as:
The exploits targeted vulnerabilities in areas like the iOS kernel, Safari browser and font rendering. Together, they enabled the attackers to gain root privileges on devices and disable security features like kernel code signing.
However, the most intriguing aspect was the hackers' usage of an unknown hardware vulnerability to bypass an advanced memory protection called the Page Protection Layer, which prevents even kernel-level malware from arbitrarily running code or modifying data.
Uncovering a Secret iPhone Feature
Through extensive reverse engineering, researchers discovered the hackers had leveraged secret memory registers associated with an undocumented hardware feature to disable the Page Protection Layer.
The registers did not show up in any Apple device tree documentation. Kaspersky believes the feature was likely intended for internal testing or debugging purposes and accidentally left accessible.
Attackers exploiting such an obscure hardware issue indicates extremely sophisticated capabilities. It's unknown how they learned of the vulnerable feature.
Operation Triangulation’s attack chain
It began by exploiting CVE-2023-41990, a vulnerability in Apple’s implementation of the TrueType font. This initial chain link, which used techniques including return oriented programming and jump-oriented programming to bypass modern exploit defenses, allowed the attackers to remotely execute code, albeit with minimum system privileges.
After exploiting CVE-2023-41990 and with the initial access, the next link in the exploit chain targeted the iOS kernel, the core of the OS reserved for the most sensitive device functions and data.
This kernel manipulation came courtesy of the CVE-2023-32434 and CVE-2023-38606.
CVE-2023-32434 is a memory-corruption vulnerability in XNU, a mechanism designed to withstand attempts to corrupt the memory inside the iOS kernel. After this attacker exploits CVE-2023-38606, the vulnerability resides in the secret MMIO registers. It allowed the bypassing of the Page Protection Layer, the defense discussed earlier that prevents malicious code injection and kernel modification even after a kernel has been compromised.
The chain then exploited a Safari vulnerability tracked as CVE-2023-32435 to execute the shellcode. The resulting shellcode, in turn, went on to once again exploit CVE-2023-32434 and CVE-2023-38606 to finally achieve the root access required to install the last spyware payload.
Kaspersky provided the following diagram of the exploit chain.
Image: Kaspersky |
Implications for iOS and Hardware Security
This attack demonstrates sophisticated attackers can discover and exploit obscure hardware vulnerabilities to bypass platform protections. According to Kaspersky, it represents a failure of "security by obscurity" approaches in hardware security.
It also shows that recent iOS security enhancements like PPL and PAC are not bulletproof in the face of unknown hardware bugs.
Hardware-focused vulnerabilities in particular pose a challenge, as they cannot be fixed through regular software updates. Exploits targeting them can remain viable for years across multiple iOS versions.
About Operation Triangulation
Operation Triangulation was uncovered by cybersecurity firm Kaspersky earlier this year. The campaign has been ongoing since 2019 and primarily targets iOS devices using zero-click exploits delivered via the iMessage platform. The spyware targeted a small number of iPhone users worldwide, including journalists, human rights activists, and government officials.
The exploit chain supported all iOS versions up to 16.2, but Apple patched the vulnerabilities in iOS 16.3 and 16.4 updates.
The Operation Triangulation campaign provides an intriguing case study into the lengths attackers will go to compromise hardened targets. While iPhone security continues to improve, it shows that motivated hackers with sufficient resources can often still find ways in via complex exploit chains and little-known flaws.
For users, it emphasizes the importance of updates and caution with links. For Apple, it highlights potential areas of improvement to make iOS even more resilient against advanced persistent threats in the future.