Operation Triangulation is a highly advanced spyware campaign that has been targeting iPhone users since at least 2019. It exploits an undocumented TrueType font instruction in Apple iOS devices, allowing attackers to remotely execute code without any user interaction.
Description
The campaign incorporates a series of zero-click exploits sent via iMessage, which trigger a remote code execution vulnerability [2] [5] [8]. The attack chain includes techniques such as return/jump oriented programming [3], JavaScript obfuscation [3], and manipulation of JavaScriptCore and kernel memory [3].
Security researchers at Kaspersky discovered the Operation Triangulation campaign in June 2023 and spent over a year reverse-engineering it. They found that the campaign utilizes four zero-day vulnerabilities [4], including CVE-2023-41990 [7], CVE-2023-32434 [3] [7], CVE-2023-32435 [3] [7], and CVE-2023-38606 [3] [4] [7]. Of these [6] [7], CVE-2023-38606 is particularly noteworthy as it allows attackers to bypass hardware-based security protections [7]. This vulnerability specifically targets Apple A12-A16 Bionic SoCs and exploits unknown MMIO registers. The source of this exploit remains unknown [7].
By exploiting these vulnerabilities, the attackers gain complete control over the iOS device’s memory [3], enabling them to access sensitive data and carry out actions such as sending recordings [3], pictures [3], and location information to their servers [3]. The campaign has targeted iOS devices up to version 16.2.
In response to these security issues, Apple has updated the device’s internal map to control access to specific memory areas and has released patches for some of the exploited vulnerabilities. However, the Operation Triangulation campaign highlights the ongoing need for vigilance in addressing zero-day exploits and the importance of addressing hardware vulnerabilities in addition to software vulnerabilities.
Conclusion
While it is impossible to completely protect against zero-day attacks [3], iPhone users can take steps to mitigate the damage [3]. This includes regularly updating their iOS, exercising caution with messages from unknown sources [3], using strong passwords and enabling two-factor authentication [3], and regularly backing up their data [3]. Apple has also introduced a security feature called “Lockdown Mode” for high-profile individuals targeted by sophisticated cyberattacks [3]. There is no evidence to support claims that Apple provided a backdoor to the NSA [4].
Researchers have disclosed new details about the “Operation Triangulation” campaign [9], which involved zero-click attacks on iPhones [9]. The attacks exploited a flaw in an undocumented Apple hardware security feature [9], allowing attackers to manipulate secure memory and gain control of iPhones and potentially other Apple devices [9]. The vulnerabilities used in the exploit chain have since been patched by Apple [9]. The attacks began with a malicious iMessage attachment that exploited a remote code execution vulnerability [8] [9]. The spyware installed through the exploit allowed attackers to carry out espionage activities and transmit the phone’s contents to their servers [9]. The malware was designed to work on various Apple devices [9], including MacOS devices [9], iPads [9], Apple TVs [1] [6] [7] [9], and Apple Watches [9]. The researchers described the attack chain as the most sophisticated they have ever seen and highlighted the flaws in relying on “security through obscurity” in hardware security [9].
References
[1] https://www.iphoneincanada.ca/2023/12/27/researchers-zero-day-imessage-exploits-iphones/
[2] https://securityaffairs.com/156557/intelligence/operation-triangulation-undocumented-hardware-feature.html
[3] https://appleinsider.com/articles/23/12/28/operation-triangulation-exposes-advanced-imessage-attack-on-security-firm
[4] https://vulnera.com/newswire/undocumented-hardware-feature-exploited-in-iphone-triangulation-attack/
[5] https://siliconangle.com/2023/12/27/operation-triangulation-previously-unknown-feature-iphones-exploited-spyware/
[6] https://bgr.com/tech/the-most-sophisticated-iphone-attack-ever-used-a-hidden-hardware-feature-to-backdoor-the-phone-but-youre-safe/
[7] https://thehackernews.com/2023/12/most-sophisticated-iphone-hack-ever.html
[8] https://www.androidheadlines.com/2023/12/0-click-imessage-attack-vulnerabilities.html
[9] https://www.scmagazine.com/news/4-year-iphone-0-click-spyware-campaign-detailed
