In a revelation that continues to baffle researchers, a sophisticated and extensive iPhone backdooring campaign that unfolded over four years targeted numerous devices, including those owned by employees of the Moscow-based security firm Kaspersky. One of the most notable findings from the investigation is that the unknown attackers exploited a vulnerability in an undocumented hardware feature, known to only a select few outside of Apple and chip suppliers like ARM Holdings.
Kaspersky researcher Boris Larin emphasized the exploit’s sophistication and the feature’s obscurity, indicating that the attackers possessed advanced technical capabilities. The researchers, despite an intense 12-month investigation, have yet to determine how the attackers became aware of this feature. Possibilities include accidental disclosure in past firmware or source code releases, stumbling upon it through hardware reverse engineering, or other undisclosed methods.
An inherent part of the iPhone
Several unanswered questions linger, including the exact purpose of the hardware feature and whether it is an inherent part of the iPhone or enabled by a third-party hardware component, such as ARM’s CoreSight.
The widespread backdooring campaign, first disclosed in June, targeted iPhones globally, including those of individuals working within diplomatic missions and embassies in Russia, according to Russian government officials. Over a minimum of four years, Kaspersky reported that the infections were delivered through iMessage texts, deploying malware via a complex exploit chain without requiring any action from the recipient.
The compromised devices were injected with comprehensive spyware capable of transmitting sensitive data, including microphone recordings, photos, and geolocation information, to servers controlled by the attackers. Although the infections didn’t persist after a reboot, the assailants revived their campaign by sending new malicious iMessage texts shortly after the devices were restarted.
Additional details disclosed on Wednesday shed light on the complexity of the attack, dubbed “Triangulation.” The malware and the campaign exploited four critical zero-day vulnerabilities—serious programming flaws that were known to the attackers before Apple became aware of them. Apple has since patched all four vulnerabilities, which are now tracked as part of the ongoing effort to secure iPhone users against such advanced exploits.
Apple declined to provide input
In addition to impacting iPhones, these crucial zero-days and undisclosed hardware features were present in Macs, iPods, iPads, Apple TVs, and Apple Watches. Furthermore, the exploits recovered by Kaspersky were deliberately designed to function on these devices. Apple has subsequently addressed these vulnerabilities across its entire product line. Despite multiple requests for comment, Apple declined to provide input for this article.
Identifying infections poses an immense challenge, even for individuals possessing advanced forensic skills. For those interested in attempting detection, a comprehensive list of Internet addresses, files, and other indicators of compromise can be found here.