{"id":30164,"date":"2024-01-03T11:35:29","date_gmt":"2024-01-03T19:35:29","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=30164"},"modified":"2024-01-03T11:37:21","modified_gmt":"2024-01-03T19:37:21","slug":"sb-2024-01-03","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/01\/sb-2024-01-03\/","title":{"rendered":"Security Bits \u2014 3 January 2024 (Bart & Jill from the North Woods)"},"content":{"rendered":"

Deep Dive \u2014 Operation Triangulation<\/h2>\n

TL;DR<\/strong> \u2014 Kaspersky labs have discovered that they, and Russian government officials, were targeted by very advanced iOS malware that completely took over iOS devices for the last 4 years. Apple have patched all the exploited vulnerabilities, regular users were not targeted, and Kaspersky say there is not enough evidence to link the exploit to any particular group or government.<\/em><\/p>\n

The Ars Technica Writeup by Dan Goodin linked below gives the best-detailed summary I have read, so I won’t try duplicating it, instead, I want to highlight the key facts we know:<\/p>\n

    \n
  1. The attacks were in use and went undetected for 4 years<\/p>\n<\/li>\n
  2. \n

    The attacks were very tightly targeted to keep them secret for as long as possible, this is why regular users don’t need to worry.<\/p>\n<\/li>\n

  3. \n

    The attacks were delivered via iMessage, and the malware was able to infect the device without any user interaction, i.e. they were zero-click<\/em><\/p>\n<\/li>\n

  4. \n

    The attacks did not survive a reboot, but victims were regularly re-infected with fresh malicious iMessages<\/p>\n<\/li>\n

  5. \n

    Because of how many layers of security Apple have added to iOS, the attackers needed four zero-day vulnerabilities to work around Address Space Layout Randomisation and hardware kernel protections \u2014 a bug in TrueType, a kernel bug, a previously unknown un-documented hardware feature\/bug, and a Safari bug<\/p>\n<\/li>\n

  6. \n

    The hardware feature\/bug is the most mysterious, here is what Kaspersky concluded:<\/p>\n

    \n “Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake”\n<\/p><\/blockquote>\n<\/li>\n

  7. Apple have patched all four vulnerabilities, including the hardware bug<\/p>\n<\/li>\n
  8. \n

    Security researchers are describing this as the most advanced attack they have ever seen, so this is clearly a big operation backed by very substantial resources, so probably a nation-state or a group of nation-states, but no one knows who. This is the most Kaspersky would conclude:<\/p>\n

    \n “Currently, we cannot conclusively attribute this cyberattack to any known threat actor \u2026 The unique characteristics observed in Operation Triangulation don’t align with patterns of known campaigns, making attribution challenging at this stage”\n<\/p><\/blockquote>\n<\/li>\n<\/ol>\n

    More details may emerge as time goes on, but for now, any claims that a specific government or group were responsible, or any assertions that Apple did this intentionally are pure speculation, so don’t fall for the click-bait.<\/p>\n

    Also note that the fact that this was so difficult to pull off proves how hard Apple are working to harden the iPhone.<\/p>\n

    Finally, remember that the probability than any NosillaCastaway was in any way affected by these vulnerabilities is so low as to be effectively zero \u2014 billion dollar exploits are not wasted on regular folk like us!<\/p>\n

    Links:<\/h3>\n