‘Triangulation’ — Complex Exploit Backdoored Unknown Number of iPhones Over 4 Years
Dan Goodin, reporting for Ars Technica:
Researchers on Wednesday presented intriguing new findings
surrounding an attack that over four years backdoored dozens if
not thousands of iPhones, many of which belonged to employees of
Moscow-based security firm Kaspersky. Chief among the discoveries:
the unknown attackers were able to achieve an unprecedented level
of access by exploiting a vulnerability in an undocumented
hardware feature that few if anyone outside of Apple and chip
suppliers such as ARM Holdings knew of.
“The exploit’s sophistication and the feature’s obscurity suggest
the attackers had advanced technical capabilities,” Kaspersky
researcher Boris Larin wrote in an email. “Our analysis hasn’t
revealed how they became aware of this feature, but we’re
exploring all possibilities, including accidental disclosure in
past firmware or source code releases. They may also have stumbled
upon it through hardware reverse engineering.” […]
The mass backdooring campaign, which according to Russian
officials also infected the iPhones of thousands of people
working inside diplomatic missions and embassies in Russia,
according to Russian government officials, came to light in June.
Over a span of at least four years, Kaspersky said, the
infections were delivered in iMessage texts that installed
malware through a complex exploit chain without requiring the
receiver to take any action.
From the report by the Kaspersky researchers:
If we try to describe this feature and how the attackers took
advantage of it, it all comes down to this: they are able to write
data to a certain physical address while bypassing the
hardware-based memory protection by writing the data, destination
address, and data hash to unknown hardware registers of the chip
unused by the firmware.
Our guess is that this unknown hardware feature was most likely
intended to be used for debugging or testing purposes by Apple
engineers or the factory, or that it was included by mistake.
Because this feature is not used by the firmware, we have no idea
how attackers would know how to use it.
★
Dan Goodin, reporting for Ars Technica:
Researchers on Wednesday presented intriguing new findings
surrounding an attack that over four years backdoored dozens if
not thousands of iPhones, many of which belonged to employees of
Moscow-based security firm Kaspersky. Chief among the discoveries:
the unknown attackers were able to achieve an unprecedented level
of access by exploiting a vulnerability in an undocumented
hardware feature that few if anyone outside of Apple and chip
suppliers such as ARM Holdings knew of.
“The exploit’s sophistication and the feature’s obscurity suggest
the attackers had advanced technical capabilities,” Kaspersky
researcher Boris Larin wrote in an email. “Our analysis hasn’t
revealed how they became aware of this feature, but we’re
exploring all possibilities, including accidental disclosure in
past firmware or source code releases. They may also have stumbled
upon it through hardware reverse engineering.” […]
The mass backdooring campaign, which according to Russian
officials also infected the iPhones of thousands of people
working inside diplomatic missions and embassies in Russia,
according to Russian government officials, came to light in June.
Over a span of at least four years, Kaspersky said, the
infections were delivered in iMessage texts that installed
malware through a complex exploit chain without requiring the
receiver to take any action.
From the report by the Kaspersky researchers:
If we try to describe this feature and how the attackers took
advantage of it, it all comes down to this: they are able to write
data to a certain physical address while bypassing the
hardware-based memory protection by writing the data, destination
address, and data hash to unknown hardware registers of the chip
unused by the firmware.
Our guess is that this unknown hardware feature was most likely
intended to be used for debugging or testing purposes by Apple
engineers or the factory, or that it was included by mistake.
Because this feature is not used by the firmware, we have no idea
how attackers would know how to use it.