4-Year Campaign Backdoored iPhones Using Possibly the Most Advanced Exploit Ever (arstechnica.com) 57
Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of. ArsTechnica: "The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities," Kaspersky researcher Boris Larin wrote in an email. "Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering."
Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don't know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM's CoreSight. The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action. With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn't survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.
Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don't know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM's CoreSight. The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action. With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn't survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.
Obviously... (Score:3, Interesting)
> Besides how the attackers learned of the hardware feature, the researchers still don't know what, precisely, its purpose is
The purpose is to be a back door. Government spooks gotta have a way to hack into the phones of... uh...
> thousands of people working inside diplomatic missions and embassies in Russia
People like that.
=Smidge=
Re: (Score:3, Insightful)
Could also be China since these phones are manufactured there. They would want to know what Russian officials are talking about so when trade negotations come up they can use that information to their advantage.
Just like China recently did when the Muscovite Midget went begging to Xi for assistance to keep the Ukrainian war going. Most likely the delivery of ammunition and other equipment from North Korea is what was agreed on.
Re: (Score:2)
More likely the US/UK. Kaspersky has been a thorn in the NSA's and GCHQ's side for years, because their anti virus software detects Western malware.
Re: (Score:3)
From the description, it sounds like a hardware vulnerability in the Apple processors. Those are manufactured in Taiwan, not mainland China.
Re: (Score:1)
I hope it turns out that this was approved under FISA and has infected English-only speaking Americans who have no overseas or foreign contacts, nor passports.
And now we know (Score:3)
delivered in iMessage texts
So that's why Beeper worked so hard to make that stupid thing work in their chat client :)
Re: (Score:3, Funny)
it's blue bubbles all the way down.
Re: (Score:1)
That's why Apply has done everything they can to stop Beeper. Start poking around an API and you just might discover a backdoor ... that was intentionally put there.
Re: And now we know (Score:3)
Re: (Score:1)
It's not the API.
Why would iMessage open and interpret a PDF without user interaction?
Why would a PDF interpreter have a sandbox escape exploit that would allow access to undocumented hardware registers
This requires smuggling precise machine code in the PDF and jumping to it and averting sandbox guiderails.
Nah, this whole thing stinks top to bottom. At least LineageOS is the Devil we Know.
Re: And now we know (Score:2)
iPhone security (Score:1, Troll)
Apple's excuse for not opening up the App Store, and also blocking apps like Beeper from integrating with iMessage is that it would compromise the security of the iPhone. We're supposed to believe Apple cares about security. Yet every single version of iOS has had a jailbreak-enabling serious flaw. Every. Single. Version.
Re: iPhone security (Score:4, Insightful)
Name a consumer OS that doesnt have an exploit in every version. Yet we still use some form of authentication to log in to them.
Re: (Score:3, Insightful)
Here's the complete list of consumer OS's with known exploits, and that disallow second and third party software to run on them without hassle under the guise of protecting you, but actually serving anticompetitive practices:
Re: (Score:2)
those consumer os do not impose lock-in "in order to guarantee security". the keyword in the post you reply to is "excuse", which is the point: the mere proposition is preposterous, and when they inevitably fail to protect it becomes glaringly and bloody obvious.
mind you, the audience's absolute faith seems unaffected even then. it's just comical at this point.
Re: (Score:2)
those consumer os do not impose lock-in "in order to guarantee security".
Of course they don't. Because it doesn't work.
the keyword in the post you reply to is "excuse", which is the point: the mere proposition is preposterous
That part clearly does work though.
Re: iPhone security (Score:2)
State actors (Score:5, Interesting)
Every bit of this stinks of state actors - specifically, and most probably, from the US.
1) they targeted individuals within known organizations
2) it was a protracted, slowly rolled out campaign
3) the payload was/is highly sophisticated
4) proprietary knowledge was required to perform the initial exploit
5) non-persistent (ie designed to be stealthy and difficult to reverse engineer/acquire)
6) payload was not designed for anything other than sigint (ie no bitcoin money laundering or theft or such nonsense).
There are also, of course, additional ways that proprietary knowledge could have been gained: they could have been working directly with Apple and had access to the schematics, or they may have had people working for Apple on the downlow who had access to the hardware and put the hardware features in there to begin with for this explicit purpose. And probably several variations on that theme.
Re: (Score:3)
This exploit has NSA written all over it.
Re: (Score:1)
Re: (Score:2)
Not that good. They got caught.
Re: (Score:1)
Re: (Score:2)
How in the world would you consider this a 'troll' post?
Kaspersky has long been one of, if not the, best security research organizations in the world. Their AV constantly showed up others, and they've been responsible for identifying a large amount of state-actor maliciousness over the years. The fact that they're Russian is likely a big part of why they were targeted. (I'd expect the same of eSet, but they're not explicitly Russian)
They don't need to explicitly "dislike" Kaspersky. It's not quite so childi
Re: (Score:2)
>Every bit of this stinks of state actors - specifically, and most probably, from the US.
Yes. But it's hardly hypocritical considering how long and frequently Russia's been targeting the US. Live by the sword, die by the sword. /Or we could all agree this is unacceptable behaviour and have multi-party treaties with teeth banning it. //Oh yeah, that'll happen.
Re: (Score:2)
You think the US targeting Russia is something new? The US has been openly hostile towards Russia since 2008.
Re: (Score:2)
Oh, I think the mutual hostility goes back just a BIT further than that.
Re: State actors (Score:3)
Re: (Score:1)
Well Bloomberg's article was laughable because it was about EXTRA PHYSICAL chips! Even an accountant might notice those! "Hey why are there extra chips? They're not part of our design. Can you remove them and charge us less instead?"
In contrast exceedingly few accountants would spot this:
attackers are able to write the desired data to the desired physical address with [the] bypass of [a] hardware-based memory protection by writing the data, destination address and hash of data to unknown, not used by the firmware, hardware registers of the chip.
Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or was included by mistake. Since this feature is not used by the firmware, we have no idea how attackers would know how to use it
And this is how you add backdoors that are hard to detect. And these backdoors were only detected because people got pwned and they eventually noticed AND had enough technical capability to investigate.
IMO Apple's backdoor
Re: (Score:2)
Oh I remember that now! Very interesting, I do wonder if it's related.
Re: (Score:2)
Re: (Score:2)
>most probably, from the US.
or from one of Kaspersky's own projects getting misplaced or out of control . . .
Re: Fuck Apple (Score:2)
Proof of what. Do fill us in on your amazing epiphany.
Re: (Score:2)
Please seek professional help. Necrophilia is a serious crime.
Has Apple fixed the flaw? (Score:2)
Has Apple fixed whatever backdoor is being used to carry out this attack? Can it be fixed?
Re: (Score:2)
AT article says Apple has patched this vulnerability on all platforms.
Re: (Score:2)
It has to do with hidden memory registers that are never used in the phone's normal operation, have never been mentioned in any documentation, and were only discovered when Kaspersky did some reverse-engineering on the hardware side. To me (and everyone else, looking at these comments) it sounds like a hardware backdoor that was deliberately inserted during manufacturing.
Maybe they can use a software update to prevent that backdoor from working exactly as it did, but I imagine you could tweak it a bit to ge
Re: Has Apple fixed the flaw? (Score:5, Interesting)
Re: (Score:2)
Kaspersky used iPhones? (Score:2)
A Russian security company trusted closed source from a US company?
Results are ... exactly as expected.
Penetrated Back Door (Score:1)
You need to be secure (Score:2)
That's why you must not sideload or audit the OS.
Confession (Score:1)
This was done by a Chinese Champion (Score:2)
Yan Chenglong did this, seems he has a lot of experience too!
https://games.slashdot.org/sto... [slashdot.org]
DIA backdoor backdoored? (Score:2)
That's a novel description of the DIA hardware backdoor [wikipedia.org]
Russian gov mandating dropping of iPhones (Score:3)
this would explain this, I guess
https://www.businessinsider.co... [businessinsider.com]