According to
ArsTechnica, researchers today presented evidence showing that over four years, thousands of iPhones were attacked by spyware. These iPhones belonged to employees of the security company Kaspersky in Moscow. The attackers were able to gain a level of access never before seen and it was all done by exploiting a vulnerability in a hardware feature that few people outside of Apple and semiconductor design company Arm Holdings knew about.
It's unclear how attackers discovered this hardware feature and even researchers have no idea what its purpose is. It's also unclear whether the hardware was a native component of the
iPhone or whether it was enabled by a third-party component such as Arm's CoreSight. In addition to infecting iPhones belonging to Kaspersky employees, the spyware also affected iPhones used by thousands of people working at embassies and diplomatic missions in Russia.
How was the spyware released to target iPhones? It was apparently sent via iMessage text messages using a process that required no action from the victim. Once infected, iPhones transmitted microphone recordings, photos, geolocation data and other sensitive information to servers controlled by the attackers. While restarting an iPhone would rid the device of the infection, attackers would send a new spyware-laden text to the same device and reinfect it with each reboot.
The triangulation exploitation chain
In an email, Kaspersky researcher Boris Larin wrote: “The sophistication of the exploit and the obscurity of the functionality suggest that the attackers had advanced technical capabilities. Our analysis did not reveal how they became aware of this feature, but we are exploring all possibilities, including accidental ones. disclosure in previous versions of firmware or source code. They may also have stumbled upon it through hardware reverse engineering.
Both the malware and the campaign that led to its installation were called “Triangulation” and contained four zero-day vulnerabilities, meaning the attackers knew about these vulnerabilities before Apple. Apple has since fixed the flaws listed as follows:
- CVE-2023-32434
- CVE-2023-32435
- CVE-2023-38606
- CVE-2023-41990
The aforementioned secret hardware causing this issue and the four zero-day flaws not only affected iPhone models, but also iPads, iPods, Macs, Apple TVs, and Apple Watches. Apple has fixed the vulnerabilities on all the devices mentioned above.
In a press release, Kaspersky's Larin added: “This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both difficult and time-consuming, requiring a comprehensive understanding of hardware and software architectures. The discovery once again teaches us that even advanced hardware protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features to bypass these protections.
As for who was behind the attack, some blame the US National Security Agency (NSA). Russia's Federal Security Service says the attack came from the NSA in collaboration with Apple, although Kaspersky said it had no evidence of its involvement.
