A team of researchers has discovered a vulnerability in Apple System on a chip, or SoC, that has played a critical role in the recent iPhone attacks, known as Operation Triangulation, allowing attackers to bypass the hardware-based memory protection on iPhones running iOS versions up to iOS 16.6, a new report said on Friday.

According to the global cybersecurity firm Kaspersky, the discovered vulnerability is a hardware feature, possibly based on the principle of “security through obscurity,” and may have been intended for testing or debugging.

Following the initial 0-click iMessage attack and subsequent privilege escalation, the attackers leveraged this hardware feature to bypass hardware-based security protections and manipulate the contents of protected memory regions.

This step was crucial for obtaining full control over the device. Apple addressed the issue, identified as CVE-2023-38606, the report mentioned.

“This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures,” said Boris Larin, Principal Security Researcher at Kaspersky’s GReAT.

Buy Me a Coffee

“What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections,” he added.

As per the researchers, this feature was not publicly documented, presenting a significant challenge in its detection and analysis using conventional security methods.

The researchers conducted extensive reverse engineering, meticulously analyzing the iPhone’s hardware and software integration, with a particular emphasis on Memory-Mapped I/O, or MMIO, addresses, which are critical for facilitating efficient communication between the CPU and peripheral devices in the system.

READ
Apple Releases iOS 18.1.1 and iPadOS 18.1.1 with Critical Security Fixes

Unknown MMIO addresses, used by the attackers to bypass the hardware-based kernel memory protection, were not identified in any device tree ranges, presenting a significant challenge, the report explained.

“Operation Triangulation” is an Advanced Persistent Threat (APT) campaign targeting iOS devices. This sophisticated campaign employs zero-click exploits distributed via iMessage, enabling attackers to gain complete control over the targeted device and access user data.