Zero-click, zero-day exploits of the iMessage vulnerability in Apple smart devices are still raging.
A vulnerability has been discovered in the System on a Chip (SoC) hardware of Apple smart devices, that has played a critical role in recent iPhone attacks known as Operation Triangulation.
In that series of attacks, attackers were able to bypass the hardware-based memory protection on iPhones running iOS versions up to iOS 16.6.
The discovered vulnerability is actually a hardware ‘feature’ that may have been intended for Apple’s internal testing or debugging purposes (also known as a “backdoor”). The attackers leveraged this hardware ‘feature’ to bypass hardware-based security protections and manipulate the contents of protected memory regions (CVE-2023-38606).
According to researchers from Kaspersky, this hardware feature was not publicly documented, presenting a significant challenge in its detection and analysis using conventional security methods. What are known are the following facts:
- These hardware SoC vulnerabilities impact a broad spectrum of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch. The vulnerability requires no user interaction. When a malicious iMessage is received (including an attachment containing the exploit), users’ Apple device with the vulnerability will be compromised.
- “Operation Triangulation” is an Advanced Persistent Threat (APT) campaign targeting iOS devices through a sophisticated campaign that employs “zero-click exploits” distributed via iMessage, enabling attackers to gain complete control over the targeted device and access user data. Private information can be transmitted to remote servers: microphone recordings, photos from instant messengers, geolocation and data about a number of other activities.
- Apple has responded by releasing security updates to address four zero-day vulnerabilities identified by Kaspersky researchers: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990.
- Unknown Memory-Mapped I/O (MMIO) addresses, were used by the attackers to bypass the hardware-based kernel memory protection.
According to Boris Larin, Principal Security Researcher at Kaspersky’s Global Research and Analysis Team: “This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures. What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections.”