Source: securityboulevard.com – Author: Richi Jennings
Operation Triangulation research uncovers new details of fantastic attack chain.
A zero click RCE, chaining four zero days over four years was one hell of an achievement. Yevgeny “Eugene” Valentinovich Kaspersky’s team call it “definitely the most sophisticated attack chain we have ever seen.”
But does that prove Apple colluded with the NSA? You might recall our previous roundup, six months ago. In today’s SB Blogwatch, we do believe the hype.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Die for 2023.
“No Ordinary Vulnerability”
What’s the craic? Bill Toulas reports—“iPhone Triangulation attack abused undocumented hardware feature”:
“Security through obscurity”
Kaspersky analysts … have been reverse-engineering the complex attack chain over the past year, trying to unearth all details that underpin the campaign they originally discovered in June 2023. The … use of obscure hardware features likely reserved for debugging and factory testing to launch spyware attacks against iPhone users suggest that a sophisticated threat actor conducted the campaign.
…
CVE-2023-38606 … addressed on July 24, 2023 with the release of iOS/iPadOS 16.6, is the most intriguing. … Exploiting the flaw allows an attacker to bypass hardware protection on Apple chips. [It] targets unknown MMIO (memory-mapped I/O) registers [which] Operation Triangulation uses … to manipulate hardware features and control direct memory access during the attack. [It’s] an excellent example of why … security through obscurity … is a false premise.
What does Tim’s crew say? Daryna Antoniuk—“Spyware attack chain used previously unknown iPhone hardware feature”:
“Aware of a report”
The previously unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory. Or it was included in the finished consumer version of the iPhone by mistake.
…
Apple fixed this flaw in July, saying that the company “was aware of a report that this issue may have been actively exploited.” … Apple’s spokesperson didn’t provide more details … and instead sent the release notes for the patch.
Horse’s mouth? Boris Larin, Leonid Bezvershenko and Georgy Kucherin—“The last (hardware) mystery”:
“Unknown hardware registers”
On December 27, 2023, we … delivered a presentation … at the 37th Chaos Communication Congress (37C3). [It] summarized the results of our long-term research into Operation Triangulation, conducted with our colleagues, Igor Kuznetsov, Valentin Pashkov, and Mikhail Vinogradov.
…
This is definitely the most sophisticated attack chain we have ever seen. … This 0-click iMessage attack … used four zero-days. … There are certain aspects to one particular vulnerability that we have not been able to fully understand: … CVE-2023-38606. Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory [which] prevents attackers from obtaining full control.
…
To bypass this hardware-based security protection, the attackers … write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of … Apple A12–A16 Bionic SoCs. … We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was.
Proof that Apple added an NSA backdoor? Here’s Nick Heer: [You’re fired—Ed.]
As you might recall, Russian intelligence officials claimed Apple assisted the NSA to build this malware — something which Apple has denied. … No proof has been provided for Apple’s involvement.
…
It does not appear there is any new evidence which would implicate Apple. But it is notable that it relied on an Apple-specific TrueType specification, and bypasses previously undisclosed hardware memory protections.
…
Neither of those things increases the likelihood of Apple’s alleged involvement in my mind. It does show how disused or seemingly irrelevant functions remain vulnerable and can be used by sophisticated and likely state-affiliated attackers.
Implausible. Despite what quamquam quid loquor says:
Sounds incredibly plausible that this was the NSA at work. I doubt Apple is working actively with the NSA, but who knows what they could have been legally compelled to do.
How badly do we want to believe that? CAIMLAS counts the ways:
Every bit of this stinks of state actors: … Most probably from the US.
1) they targeted individuals within known organizations
2) it was a protracted, slowly rolled out campaign
3) the payload was/is highly sophisticated
4) proprietary knowledge was required …
5) non-persistent …
6) payload was not designed for anything other than sigint.
…
They could have been working directly with Apple and had access to the schematics, or they may have had people working for Apple on the downlow who had access to the hardware and put the hardware features in there to begin with for this explicit purpose. And probably several variations on that theme.
However, Guillermo smells a rat:
Kaspersky is on the U.S. FCC list of ‘Communications Equipment And Services That Pose A Threat To National Security’ … right?
Presumably with good reason? RRob bbanks:
It’s commonly assumed Kaspersky works for the Russian government, though maybe not voluntarily. I think that’s a safe assumption to make about any corporation in Russia or China, and this attack makes me believe it even more – someone with extreme resources and knowledge decided they were in scope.
Meanwhile, RitchCraft looks back to earlier this month:
That’s why Apply has done everything they can to stop Beeper. Start poking around an API and you just might discover a backdoor—that was intentionally put there.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: European Commission—photographer: Christophe Licoppe (EC decision 2011/833/EU; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/12/nsa-iphone-backdoor-triangulation-richixbw/
Category & Tags: API Security,Application Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevSecOps,Digital Transformation,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,IOT,IoT & ICS Security,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Boulevard (Original),Security Operations,Social Engineering,Software Supply Chain Security,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,Apple,back door,backdoor,CVE-2023-32434,CVE-2023-32435,CVE-2023-32439,CVE-2023-38606,CVE-2023-41990,FSB,imessage,ios,iPhone,kaspersky,Kaspersky Lab,Kaspersky Security,nsa,Russia,Russian FSB,SB Blogwatch,spyware,triangulation,Zero Click Attack,Zero-Click Exploit – API Security,Application Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevSecOps,Digital Transformation,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,IOT,IoT & ICS Security,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Boulevard (Original),Security Operations,Social Engineering,Software Supply Chain Security,Spotlight,Threats & Breaches,Vulnerabilities,Zero-Trust,Apple,back door,backdoor,CVE-2023-32434,CVE-2023-32435,CVE-2023-32439,CVE-2023-38606,CVE-2023-41990,FSB,imessage,ios,iPhone,kaspersky,Kaspersky Lab,Kaspersky Security,nsa,Russia,Russian FSB,SB Blogwatch,spyware,triangulation,Zero Click Attack,Zero-Click Exploit
