Apple users rarely see malware notifications like the ones that keep popping up on Android, including apps that Google has to ban. But just because iPhone security is better doesn’t mean hackers have given up. A few years ago, we saw the infamous Pegasus attack that relied on an iMessage exploit to infect phones without the recipient even having to tap on any links. Apple has patched Pegasus, but that hasn’t stopped attackers from looking for more vulnerabilities in the iPhone and other devices.
Operation Triangulation, found by Kaspersky researchers from Russia, represents the latest iPhone attack. It’s described as the “most sophisticated” iPhone attack ever discovered. It also uses a 0-day iMessage attack like Pegasus, alongside three other vulnerabilities to backdoor the iPhone. Interestingly, one of these vulnerabilities concerns a hidden hardware feature of the iPhone that the researchers could not explain.
Before you panic, you should know this iPhone attack was used by a highly advanced entity to spy on unnamed key political figures. You’re not looking at a malware attack that will empty your bank account, or that targets regular users. Even though the vulnerabilities were abused for four years, mass deployment wasn’t the goal. Also, Apple has patched all the vulnerabilities, so Operation Triangulation might not even work anymore.
Operation Triangulation didn’t go after your money
As Ars Technica reports, Operation Triangulation first came to light in June. Like Pegasus, the attackers delivered the malicious payload over iMessage texts.
Thousands of people working inside diplomatic missions and embassies in Russia might have been infected this way. That’s according to Russian officials, who blamed the NSA for this specific hack. Of course, no evidence was offered to substantiate that claim.
Kaspersky has been investigating Operation Triangulation ever since without being able to point the finger at a culprit. The attack also impacted Kaspersky employees.
“Currently, we cannot conclusively attribute this cyberattack to any known threat actor,” Kaspersky researcher Boris Larin told Ars. “The unique characteristics observed in Operation Triangulation don’t align with patterns of known campaigns, making attribution challenging at this stage.”
But Kaspersky’s latest discovery concerns a hidden hardware feature of the iPhone that’s undocumented. Somehow, the attackers were able to abuse a vulnerability in this hardware feature. But it’s unclear how they knew the hardware feature was there to actually attempt to hack it.
The hidden hardware hack
Specifically, the hackers abused hardware-based memory protections that should protect the iPhone against hacks even if an attacker was able to tamper with a device’s kernel memory. These protections would prevent the attackers from getting control of the handset.
However, the Operation Triangulation attackers abused the hidden hardware feature to bypass this protection. So one of the questions that Kaspersky can’t answer concerns the hackers’ knowledge – from a Kaspersky research paper:
If we try to describe this feature and how attackers use it, it all comes down to this: attackers are able to write the desired data to the desired physical address with [the] bypass of [a] hardware-based memory protection by writing the data, destination address and hash of data to unknown, not used by the firmware, hardware registers of the chip.
Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or was included by mistake. Since this feature is not used by the firmware, we have no idea how attackers would know how to use it
After the attacker targets a victim, Operation Triangulation allows them to extract key data, including microphone recordings, images, location data, and other information. The attack also involves cleaning its traces, and running Safari in invisible mode to potentially trigger other spyware programs.
What you should do
Kaspersky still can’t explain everything about Operation Triangulation, though the attack is the most sophisticated one it has seen so far.
“This is no ordinary vulnerability, and we have many unanswered questions,” Kaspersky concluded. “We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight.”
The report continued, “What we do know—and what this vulnerability demonstrates—is that advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections.”
Some of the vulnerabilities Kaspersky found also impact other hardware. The list includes Macs, iPads, Apple Watches, Apple TVs, and iPods. But like the iPhone, Apple has patched these platforms as well. With fixes in place, Operation Triangulation should not work. It requires all four vulnerabilities to be able to function.
If you’re wondering, you should be safe, especially if you run the latest software versions on your Apple devices. Even if you don’t, Operation Triangulation targets specific people, rather than the public at large.
You should check out Ars’s coverage and the Kaspersky research in full if you need more details on this iPhone hack.