Mysterious Apple SoC Feature Exploited to Hack Kaspersky Employee iPhones
iOS zero-click attack targeting Kaspersky iPhones bypassed hardware-based security protections to take over devices.
The Russian cybersecurity vendor reports that a hardware feature present in an Apple system-on-a-chip (SoC) was abused to successfully bypass protections and take over devices in attacks targeting the iPhones of dozens of Kaspersky senior employees earlier this year.
As part of the' Operation Triangulation attacks,’ multiple iOS zero-day vulnerabilities were exploited to execute code and install spyware on the target devices.
Dubbed TriangleDB, the spyware implant was designed to be as stealthy as possible, with the infection chain involving multiple checks and log-erasing actions to prevent the malware’s identification.
Apple released patches for three exploited vulnerabilities in June and July, noting that they could only be used in attacks against iOS versions before iOS 15.7.
Previously, Kaspersky explained that the attacks employed malicious iMessage attachments that would exploit a remote code execution (RCE) zero-day (tracked as CVE-2023-32434) and deploy TriangleDB without user interaction.
Two other zero-day flaws were also exploited as part of the infection chain, including an RCE issue in Apple-only ADJUST TrueType font instruction (CVE-2023-41990) and a bypass of hardware-based security protections (CVE-2023-38606).
The most interesting of these issues, Kaspersky notes in a technical write-up, is CVE-2023-38606, as it allowed the JavaScript exploit in Operation Triangulation to use “hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL).”
“If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they can write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware,” Kaspersky notes.
The exploited feature, the cybersecurity firm says, was likely intended for debugging purposes or might have been included by error, as it is undocumented and unknown.
The MMIO registers used in the attack do not belong to the known MMIO ranges of peripheral devices in Apple products that are defined and stored in the particular file format called DeviceTree.
Kaspersky’s analysis of the exploit chain revealed that the targeted registers belonged to the GPU coprocessor and that the attackers abused them to write to memory, bypass protections, and achieve RCE.
“This is no ordinary vulnerability, and we have many unanswered questions. We do not know how the attackers learned to use this unknown hardware feature or its original purpose. Neither do we know if Apple developed it or it’s a third-party component like ARM CoreSight,” Kaspersky notes.
In June, the same day that Kaspersky disclosed the iOS zero-click attacks, Russia’s Federal Security Service (FSB) blamed the US National Security Agency for a spy campaign targeting thousands of iOS devices.
What's Your Reaction?