Connect with us

Hi, what are you looking for?


Mobile & Wireless

Mysterious Apple SoC Feature Exploited to Hack Kaspersky Employee iPhones

iOS zero-click attack targeting Kaspersky iPhones bypassed hardware-based security protections to take over devices.

iPhone exploit

A hardware feature present in an Apple system-on-a-chip (SoC) was abused to successfully bypass protections and take over devices in attacks targeting the iPhones of dozens of Kaspersky senior employees earlier this year, the Russian cybersecurity vendor reports.

As part of the attacks, which are referred to as ‘Operation Triangulation’, multiple iOS zero-day vulnerabilities were exploited to execute code and install spyware on the target devices.

Dubbed TriangleDB, the spyware implant was designed to be as stealthy as possible, with the infection chain involving multiple checks and log-erasing actions to prevent the malware’s identification.

Apple released patches for three of the exploited vulnerabilities in June and July, noting that they could only be exploited in attacks against iOS versions before iOS 15.7.

Previously, Kaspersky explained that the attacks employed malicious iMessage attachments that would exploit a remote code execution (RCE) zero-day (tracked as CVE-2023-32434) and deploy TriangleDB without user interaction.

Two other zero-day flaws were also exploited as part of the infection chain, including an RCE issue in Apple-only ADJUST TrueType font instruction (CVE-2023-41990) and a bypass of hardware-based security protections (CVE-2023-38606).

The most interesting of these issues, Kaspersky notes in a technical write-up, is CVE-2023-38606, as it allowed the JavaScript exploit in Operation Triangulation to use “hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL)”.

“If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware,” Kaspersky notes.

Advertisement. Scroll to continue reading.

The exploited feature, the cybersecurity firm says, was likely intended for debugging purposes or might have been included by error, as it is undocumented and unknown.

The MMIO registers used in the attack do not belong to the known MMIO ranges of peripheral devices in Apple products that are defined and stored in the special file format called DeviceTree.

Kaspersky’s analysis of the exploit chain revealed that the targeted registers belonged to the GPU coprocessor, and that the attackers abused them to write to memory, bypass protections, and achieve RCE.

“This is no ordinary vulnerability, and we have many unanswered questions. We do not know how the attackers learned to use this unknown hardware feature or what its original purpose was. Neither do we know if it was developed by Apple or it’s a third-party component like ARM CoreSight,” Kaspersky notes.

In June, on the same day that Kaspersky disclosed the iOS zero-click attacks, Russia’s Federal Security Service (FSB) blamed the US National Security Agency for a spy campaign targeting thousands of iOS devices.

Related: Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones

Related: Spyware Caught Masquerading as Israeli Rocket Alert Applications

Related: Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.