Spyware attack chain used previously unknown iPhone hardware feature, report says

Researchers at the cybersecurity firm Kaspersky said they discovered an obscure hardware feature that was likely exploited by hackers during previously reported spyware attacks on iPhone users.

The announcement is an update to the researchers’ investigation of a campaign they named Operation Triangulation. Active since 2019, the hackers have been attacking targets by sending iMessages with malicious attachments and exploiting four zero-day security flaws, researchers said.

The Russian government blamed this campaign on the U.S., alleging that it hacked “thousands of Apple phones” to spy on Russian diplomats. Apple has denied these claims, and Kaspersky has not attributed Operation Triangulation to any government or known hacking group

Kaspersky’s new findings are related to a patched vulnerability tracked as CVE-2023-38606. Apple fixed this flaw in July, saying that the company “was aware of a report that this issue may have been actively exploited.”

The researchers essentially said that the hackers used the obscure hardware feature to override hardware-based security intended to protect the kernel — the core part of an operating system that, among other things, provides a bridge between software and hardware.

“If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware,” the researchers said.

According to researchers, the previously unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or it was included in the finished consumer version of the iPhone by mistake.

“Because this feature is not used by the firmware, we have no idea how attackers would know how to use it,” the report said.

In a comment to Recorded Future News, Apple’s spokesperson didn’t provide more details about Kaspersky’s new findings and instead sent the release notes for the patch to CVE-2023-38606.

Relative to similar findings that Kaspersky has made over the years, “this is definitely the most sophisticated attack chain we have ever seen.” the researchers said. The company’s explanation of the attack chain includes 13 separate bullet points.

According to Kaspersky, there are other unanswered questions surrounding the security flaw.

“We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component,” researchers said.

One thing that operations like this make clear is that “advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections,” Kaspersky said.