Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

4-year campaign backdoored iPhones using possibly the most advanced exploit ever

⁨511⁩ ⁨likes⁩

Submitted ⁨⁨10⁩ ⁨months⁩ ago⁩ by ⁨return2ozma@lemmy.world⁩ to ⁨technology@lemmy.world⁩

https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

source

Comments

Sort:hotnewtop
  • lemann@lemmy.dbzer0.com ⁨10⁩ ⁨months⁩ ago

    Wow, this is a very complex exploit, involving bits of iMessage and an undocumented CPU feature that allowed the attacker to evade hardware memory protection. From what I can see, Lockdown mode would have prevented this. The attacker is ridiculously skilled regardless

    Exerpts from the article missing from the bot summary:

    The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action.

    With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn’t survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.

    The most intriguing new detail is the targeting of the […] hardware feature […]. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel.

    Image

    source
    • AnneBonny@lemmy.dbzer0.com ⁨10⁩ ⁨months⁩ ago

      someone was made fun of one too many times about having green bubbles in imessage

      source
      • doppelgangmember@lemmy.world ⁨10⁩ ⁨months⁩ ago

        The true villain origin story

        source
        • -> View More Comments
    • GlitzyArmrest@lemmy.world ⁨10⁩ ⁨months⁩ ago

      Seems like the definition of advanced persistent threat.

      source
      • psud@lemmy.world ⁨10⁩ ⁨months⁩ ago

        It isn’t persistent over a reboot, but the tested devices received new corrupted iMessages immediately after reboot

        source
      • MaxVoltage@lemmy.world ⁨10⁩ ⁨months⁩ ago

        Reminded me restart all my devices

        source
  • LainOfTheWired@lemy.lol ⁨10⁩ ⁨months⁩ ago

    It’s not purely talent that allows them to make this kind of stuff. Otherwise people outside of these agencies would be making this stuff too. It’s also the fact the CIA or any of the others can go to apple for example and get all of the information on how these chips are made and the firmware on them, then put the company under a gag order.

    It is silly to assume the governments hackers are any better then a good hacker that doesn’t work for them. And you need to realise that their advantages come from legal power, resources, and lesser regulations on research.

    Because a lot of silly conspiracy theories seem to stem from people believing that the government are somehow superior beings, when the only thing that makes them different from anyone else is power.

    source
    • PM_Your_Nudes_Please@lemmy.world ⁨10⁩ ⁨months⁩ ago

      Yup. The government has historically had issues keeping good hackers on their payroll. Because the good ones can make way more money in the private sector, so what incentive do they have to actually stick around?

      There’s also the issue that the federal government has been required to drug test due to regulations requiring all federal employees to be tested. And good luck finding a good hacker who would be willing to take a drug test.

      source
      • agitatedpotato@lemmy.world ⁨10⁩ ⁨months⁩ ago

        If you hire the hackers that tried to hack you instead of sending them to prison, you can fix the talent retention problem, but I think they already figured that out. Wonder if the kid who hacked GTA is being looked at in that way or if they don’t want to deal with his mannerisms.

        source
        • -> View More Comments
  • sirdorius@programming.dev ⁨10⁩ ⁨months⁩ ago

    The exploit’s sophistication and the feature’s obscurity suggest the attackers had advanced technical capabilities

    exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

    according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia

    the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers

    Sounds like government espionage

    puts tinfoil hat on

    source
    • adrian783@lemmy.world ⁨10⁩ ⁨months⁩ ago

      4 zero days means they bought it on black market at least.

      source
  • elias_griffin@lemmy.world ⁨10⁩ ⁨months⁩ ago

    I recently invented a “People First” Cybersecurity Vulnerability Scoring method and I called it CITE, Civilian Internet Threat Evaluation with many benefits over CVSS. In it, I prioritize “exploit chains” as the primary threat going forward. Low and behold, this new exploit, although iOS, possibly one of the most sophisticated attacks ever using one of the longest exploit chains ever! Proof positive!

    Depending on how you define it; I define the Kaspersky diagram has 8 steps. In my system, I define steps that advance the exploit discretely as stages, so I would evaluated Triangulation to be a 4 stage exploit chain. I should tally this attack to see how it scores and make a CITE-REP(ort).

    You can read about it if interested. An intersting modeling problem for me was does stages always equate to complexity? Number of exploits in the chain make it easier or harder to intrusion detect given that it was designed as a chain, maybe to prevent just that? How are stages, complexity, chains and remediation evaluted inversely?

    www.quadhelion.engineering/articles.html

    source
    • corsicanguppy@lemmy.ca ⁨10⁩ ⁨months⁩ ago

      Sooo, xkcd 927?

      source
      • kboy101222@sh.itjust.works ⁨10⁩ ⁨months⁩ ago

        That’s Standards, isn’t it?

        source
        • -> View More Comments
      • unconfirmedsourcesDOTgov@lemmy.sdf.org ⁨10⁩ ⁨months⁩ ago

        Link for the lazy

        source
      • crsu@lemmy.world ⁨10⁩ ⁨months⁩ ago

        no garfield 3:16

        source
    • return2ozma@lemmy.world ⁨10⁩ ⁨months⁩ ago

      Thanks for sharing! I’m amazed at how sophisticated this was.

      source
  • autotldr@lemmings.world [bot] ⁨10⁩ ⁨months⁩ ago

    This is the best summary I could come up with:

    Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky.

    Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

    “The exploit’s sophistication and the feature’s obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email.

    “Our analysis hasn’t revealed how they became aware of this feature, but we’re exploring all possibilities, including accidental disclosure in past firmware or source code releases.

    A fresh infusion of details disclosed Wednesday said that “Triangulation”—the name Kaspersky gave to both the malware and the campaign that installed it—exploited four critical zero-day vulnerabilities, meaning serious programming flaws that were known to the attackers before they were known to Apple.

    The researchers found that several of MMIO addresses the attackers used to bypass the memory protections weren’t identified in any device tree documentation, which acts as a reference for engineers creating hardware or software for iPhones.

    The original article contains 653 words, the summary contains 200 words. Saved 69%. I’m a bot and I’m open source!

    source
  • JustUseMint@lemmy.world ⁨10⁩ ⁨months⁩ ago

    There are few groups I think they could pull off such a stunt and would even want to. Nation state actors from the US such as CIA/NSA, or China, like the Ministry of Industry and Information Technology. They have a many other gov sectors with very talented APT groups. I’d bring up that NK nation state actors are also very talented, but they’ve been recently aligned with them. Perhaps their loyalty to the CCP is stronger than their current Russian ties.

    source
    • elias_griffin@lemmy.world ⁨10⁩ ⁨months⁩ ago

      Skill is certainly one evaluation parameter and Fin7, JokerStash, Carbanak fit that bill but that is not their MO. Target, motive, opportunity -> Embassy Employees/Diplomats -> Nation-State or Intergovernmental Group (like 5/9/14 eyes) as eval combined with skill rating, @95% confidence.

      source
  • Treczoks@lemmy.world ⁨10⁩ ⁨months⁩ ago

    I wonder how many of those exploits were long known by the three-letter agencies, and were hoarded instead of getting fixed.

    source
  • Classy@sh.itjust.works ⁨10⁩ ⁨months⁩ ago

    Can’t wait to listen to the Darknet Diaries interview about this in a few years.

    source
    • Squizzy@lemmy.world ⁨10⁩ ⁨months⁩ ago

      How do you find those podcasts, sometimes the stories are really interesting but I think he is running thin on ideas.

      source
      • Lemmyvisitor@lemmy.dbzer0.com ⁨10⁩ ⁨months⁩ ago

        not op, but I think it depends a lot on the person he’s interviewing

        source
  • LodeMike@lemmy.today ⁨10⁩ ⁨months⁩ ago

    Can the US government pass a law to force Apple specifically to rip out the messages app and replace it with something that apparently doesn’t have infinite exploits??

    source
    • Tautvydaxx@lemmy.world ⁨10⁩ ⁨months⁩ ago

      There is no such thing as a device or software without exploit, even a carrier pigeon can be cought and the messege read.

      source
      • ExLisper@linux.community ⁨10⁩ ⁨months⁩ ago

        What if the pigeon has a gun?

        source
        • -> View More Comments
      • Tja@programming.dev ⁨10⁩ ⁨months⁩ ago

        Not if you wirte the message using invisible ink.

        source
        • -> View More Comments
      • EngineerGaming@feddit.nl ⁨10⁩ ⁨months⁩ ago

        I wouldn’t trust a service whose source code is not accessible though.

        source
        • -> View More Comments
    • Cocodapuf@lemmy.world ⁨10⁩ ⁨months⁩ ago

      How would that help them? Even if that were an effective measure (which it isn’t), it was almost certainly a us spy agenciy that did this.

      source
      • crsu@lemmy.world ⁨10⁩ ⁨months⁩ ago

        Not necessarily, five eyes share intelligence responsibilities

        source
  • vext01@lemmy.sdf.org ⁨10⁩ ⁨months⁩ ago

    Does ios have any ROP mitigations?

    source
  • tsonfeir@lemm.ee ⁨10⁩ ⁨months⁩ ago

    It’s important to reboot your devices frequently

    source