A team of researchers has discovered a vulnerability in Apple SoC that was used to target iPhones running on iOS versions up to iOS 16.6. The hackers used iMessage to initiate an attack and then used flaws in the chip to bypass hardware-based security protections, a report said. Apple plugged the flaw with subsequent updates.
According to a report by cyber security firm Kaspersky, the flaw in the SoC played a critical role in the recent iPhone attacks, known as Operation Triangulation to gain complete control over the targeted device and access user data.
How hackers targeted victims
The hackers first sent a malicious iMessage attachment to the target and the entire chain is zero-click, which means that it does not require interaction from the user. These types of attacks also don’t generate any noticeable signs or traces.
The 0-click iMessage attack subsequently led attackers to leverage the hardware vulnerability to bypass hardware-based security protections. They also manipulated the contents of protected memory regions, thereby, obtaining full control over the device.
“This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures,” said Boris Larin, Principal Security Researcher at Kaspersky’s GReAT.
“What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections,” he added.
The team said that this unknown hardware feature may have been intended to be used for debugging or testing purposes by Apple engineers or the factory, or it may have been included by mistake.
How researchers found the flaw
Since this feature is not used by the firmware, the researchers say that they have no idea how attackers knew how to use it – which made it significantly challenging in its detection and analysis using conventional security methods.
The researchers resorted to extensive reverse engineering, to analyse the iPhone’s hardware and software integration. They particularly looked at Memory-Mapped I/O, or MMIO, addresses, which are critical for facilitating communication between the CPU and peripheral devices.
According to a report by cyber security firm Kaspersky, the flaw in the SoC played a critical role in the recent iPhone attacks, known as Operation Triangulation to gain complete control over the targeted device and access user data.
How hackers targeted victims
The hackers first sent a malicious iMessage attachment to the target and the entire chain is zero-click, which means that it does not require interaction from the user. These types of attacks also don’t generate any noticeable signs or traces.
The 0-click iMessage attack subsequently led attackers to leverage the hardware vulnerability to bypass hardware-based security protections. They also manipulated the contents of protected memory regions, thereby, obtaining full control over the device.
“This is no ordinary vulnerability. Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures,” said Boris Larin, Principal Security Researcher at Kaspersky’s GReAT.
“What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections,” he added.
The team said that this unknown hardware feature may have been intended to be used for debugging or testing purposes by Apple engineers or the factory, or it may have been included by mistake.
How researchers found the flaw
Since this feature is not used by the firmware, the researchers say that they have no idea how attackers knew how to use it – which made it significantly challenging in its detection and analysis using conventional security methods.
The researchers resorted to extensive reverse engineering, to analyse the iPhone’s hardware and software integration. They particularly looked at Memory-Mapped I/O, or MMIO, addresses, which are critical for facilitating communication between the CPU and peripheral devices.