Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Iphone Security IT

4-Year Campaign Backdoored iPhones Using Possibly the Most Advanced Exploit Ever (arstechnica.com) 57

Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of. ArsTechnica: "The exploit's sophistication and the feature's obscurity suggest the attackers had advanced technical capabilities," Kaspersky researcher Boris Larin wrote in an email. "Our analysis hasn't revealed how they became aware of this feature, but we're exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering."

Other questions remain unanswered, wrote Larin, even after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don't know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM's CoreSight. The mass backdooring campaign, which according to Russian officials also infected the iPhones of thousands of people working inside diplomatic missions and embassies in Russia, according to Russian government officials, came to light in June. Over a span of at least four years, Kaspersky said, the infections were delivered in iMessage texts that installed malware through a complex exploit chain without requiring the receiver to take any action. With that, the devices were infected with full-featured spyware that, among other things, transmitted microphone recordings, photos, geolocation, and other sensitive data to attacker-controlled servers. Although infections didn't survive a reboot, the unknown attackers kept their campaign alive simply by sending devices a new malicious iMessage text shortly after devices were restarted.

This discussion has been archived. No new comments can be posted.

4-Year Campaign Backdoored iPhones Using Possibly the Most Advanced Exploit Ever

Comments Filter:
  • Obviously... (Score:3, Interesting)

    by Smidge204 ( 605297 ) on Wednesday December 27, 2023 @03:12PM (#64110027) Journal

    > Besides how the attackers learned of the hardware feature, the researchers still don't know what, precisely, its purpose is

    The purpose is to be a back door. Government spooks gotta have a way to hack into the phones of... uh...

    > thousands of people working inside diplomatic missions and embassies in Russia

    People like that.
    =Smidge=

    • Re: (Score:3, Insightful)

      Could also be China since these phones are manufactured there. They would want to know what Russian officials are talking about so when trade negotations come up they can use that information to their advantage.

      Just like China recently did when the Muscovite Midget went begging to Xi for assistance to keep the Ukrainian war going. Most likely the delivery of ammunition and other equipment from North Korea is what was agreed on.

      • by AmiMoJo ( 196126 )

        More likely the US/UK. Kaspersky has been a thorn in the NSA's and GCHQ's side for years, because their anti virus software detects Western malware.

      • by necro81 ( 917438 )

        Could also be China since these phones are manufactured there

        From the description, it sounds like a hardware vulnerability in the Apple processors. Those are manufactured in Taiwan, not mainland China.

    • I hope it turns out that this was approved under FISA and has infected English-only speaking Americans who have no overseas or foreign contacts, nor passports.

  • by Rosco P. Coltrane ( 209368 ) on Wednesday December 27, 2023 @03:15PM (#64110039)

    delivered in iMessage texts

    So that's why Beeper worked so hard to make that stupid thing work in their chat client :)

    • Re: (Score:3, Funny)

      by znrt ( 2424692 )

      it's blue bubbles all the way down.

    • That's why Apply has done everything they can to stop Beeper. Start poking around an API and you just might discover a backdoor ... that was intentionally put there.

      • The messaging API isn't the issue. The exploit begins when the victim receives a malicious PDF. It doesn't really matter how that PDF was sent.
        • It's not the API.

          Why would iMessage open and interpret a PDF without user interaction?

          Why would a PDF interpreter have a sandbox escape exploit that would allow access to undocumented hardware registers

          This requires smuggling precise machine code in the PDF and jumping to it and averting sandbox guiderails.

          Nah, this whole thing stinks top to bottom. At least LineageOS is the Devil we Know.

  • Apple's excuse for not opening up the App Store, and also blocking apps like Beeper from integrating with iMessage is that it would compromise the security of the iPhone. We're supposed to believe Apple cares about security. Yet every single version of iOS has had a jailbreak-enabling serious flaw. Every. Single. Version.

    • by Viol8 ( 599362 ) on Wednesday December 27, 2023 @03:31PM (#64110101) Homepage

      Name a consumer OS that doesnt have an exploit in every version. Yet we still use some form of authentication to log in to them.

      • Re: (Score:3, Insightful)

        by SendBot ( 29932 )

        Here's the complete list of consumer OS's with known exploits, and that disallow second and third party software to run on them without hassle under the guise of protecting you, but actually serving anticompetitive practices:

      • by znrt ( 2424692 )

        those consumer os do not impose lock-in "in order to guarantee security". the keyword in the post you reply to is "excuse", which is the point: the mere proposition is preposterous, and when they inevitably fail to protect it becomes glaringly and bloody obvious.

        mind you, the audience's absolute faith seems unaffected even then. it's just comical at this point.

        • those consumer os do not impose lock-in "in order to guarantee security".

          Of course they don't. Because it doesn't work.

          the keyword in the post you reply to is "excuse", which is the point: the mere proposition is preposterous

          That part clearly does work though.

  • State actors (Score:5, Interesting)

    by CAIMLAS ( 41445 ) on Wednesday December 27, 2023 @03:19PM (#64110049)

    Every bit of this stinks of state actors - specifically, and most probably, from the US.

    1) they targeted individuals within known organizations
    2) it was a protracted, slowly rolled out campaign
    3) the payload was/is highly sophisticated
    4) proprietary knowledge was required to perform the initial exploit
    5) non-persistent (ie designed to be stealthy and difficult to reverse engineer/acquire)
    6) payload was not designed for anything other than sigint (ie no bitcoin money laundering or theft or such nonsense).

    There are also, of course, additional ways that proprietary knowledge could have been gained: they could have been working directly with Apple and had access to the schematics, or they may have had people working for Apple on the downlow who had access to the hardware and put the hardware features in there to begin with for this explicit purpose. And probably several variations on that theme.

    • This exploit has NSA written all over it.

    • >Every bit of this stinks of state actors - specifically, and most probably, from the US.

      Yes. But it's hardly hypocritical considering how long and frequently Russia's been targeting the US. Live by the sword, die by the sword. /Or we could all agree this is unacceptable behaviour and have multi-party treaties with teeth banning it. //Oh yeah, that'll happen.

    • Fun fact: 5 years ago Bloomberg published an article about how China had inserted hardware backdoors into US electronics and used Apple as the prime example. Apple flat out denied this and there was a campaign to get Bloomberg to reveal their sources (who supposedly worked for Apple) or retract the story. Bloomberg did neither.
      • by Anonymous Coward

        Well Bloomberg's article was laughable because it was about EXTRA PHYSICAL chips! Even an accountant might notice those! "Hey why are there extra chips? They're not part of our design. Can you remove them and charge us less instead?"

        In contrast exceedingly few accountants would spot this:

        attackers are able to write the desired data to the desired physical address with [the] bypass of [a] hardware-based memory protection by writing the data, destination address and hash of data to unknown, not used by the firmware, hardware registers of the chip.

        Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or was included by mistake. Since this feature is not used by the firmware, we have no idea how attackers would know how to use it

        And this is how you add backdoors that are hard to detect. And these backdoors were only detected because people got pwned and they eventually noticed AND had enough technical capability to investigate.

        IMO Apple's backdoor

      • by CAIMLAS ( 41445 )

        Oh I remember that now! Very interesting, I do wonder if it's related.

      • Let's ignore that almost all details of your story are off and go straight to the kicker: nobody ever found a single one of the reported backdoor chips (one of those details you got wrong).
    • by hawk ( 1151 )

      >most probably, from the US.

      or from one of Kaspersky's own projects getting misplaced or out of control . . .

  • Has Apple fixed whatever backdoor is being used to carry out this attack? Can it be fixed?

    • AT article says Apple has patched this vulnerability on all platforms.

      • It has to do with hidden memory registers that are never used in the phone's normal operation, have never been mentioned in any documentation, and were only discovered when Kaspersky did some reverse-engineering on the hardware side. To me (and everyone else, looking at these comments) it sounds like a hardware backdoor that was deliberately inserted during manufacturing.

        Maybe they can use a software update to prevent that backdoor from working exactly as it did, but I imagine you could tweak it a bit to ge

        • by stevenm86 ( 780116 ) on Wednesday December 27, 2023 @04:57PM (#64110399)
          The "fix" is to write to another register that prevents access to this hardware block in the first place. Although I don't know what this hardware block is, it's entirely plausible that this was left in by accident. Chip design is an incredibly hierarchical thing and it's possible that the person doing the integration doesn't know 100% everything about the blocks being delivered to them. This is pure speculation, but it's interesting that CoreSight was mentioned earlier. CoreSight allows a debugger to arbitrarily write to memory, and is controlled via a debug bus (which is accessed via JTAG/SWD and is fused out before shipping). If someone accidentally bridged the debug bus and the main bus (for simplicity or whatever), I could see how that would bypass the debug fuses in a roundabout way. But again this is complete speculation.
  • A Russian security company trusted closed source from a US company?

    Results are ... exactly as expected.

  • I'm an iPhone user so my back door was penetrated too. I feel violated. I'd like to know if access to my back door is now blocked.
  • That's why you must not sideload or audit the OS.

  • I did it. That's right! Cone and get me, if you can! - Area 51, intergalactical division
  • Yan Chenglong did this, seems he has a lot of experience too!
    https://games.slashdot.org/sto... [slashdot.org]

  • undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

    That's a novel description of the DIA hardware backdoor [wikipedia.org] /s
  • by sxpert ( 139117 ) on Friday December 29, 2023 @03:24PM (#64115397)

    this would explain this, I guess
    https://www.businessinsider.co... [businessinsider.com]

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...