According to recent research presented by ArsTechnica, investigators have revealed evidence indicating that thousands of iPhone units were targeted by spyware over a span of four years. These iPhones were reportedly owned by employees of the security company Kaspersky in Moscow. The attackers were able to gain unprecedented access to the devices by exploiting a vulnerability in a hardware feature that was not widely known outside of Apple and semiconductor design firm Arm Holdings.
The purpose of this hardware feature and how the attackers became aware of it remains unknown, raising questions about whether it was part of the native iPhone hardware or enabled by a third-party component like Arm’s CoreSight. In addition to infecting Kaspersky employees’ iPhones, the spyware also targeted devices used by thousands of individuals employed in embassies and diplomatic missions in Russia.
The spyware was reportedly disseminated to target iPhones through iMessage texts without requiring any action from the victim. Once infected, the iPhones transmitted sensitive information, including microphone recordings, photos, and geolocation data to servers controlled by the attackers. Furthermore, despite rebooting an iPhone to rid the device of the infection, the attackers had the ability to re-infect it every time it was rebooted by sending a new text loaded with spyware.
The associated malware and the campaign that led to its installation were known as “Triangulation” and contained four zero-day vulnerabilities, indicating that the attackers were aware of these vulnerabilities before Apple was. Apple has since patched the flaws, which were cataloged as follows: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990. These vulnerabilities affected not only iPhone models but also iPads, iPods, Macs, Apple TVs, and Apple Watches.
In a statement, Boris Larin, a researcher at Kaspersky, highlighted the severity and sophistication of the exploit. He explained that the closed nature of the iOS ecosystem made the discovery process challenging and time-consuming due to the comprehensive understanding required of both hardware and software architectures. This discovery led to the realization that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker.
While some have attributed the attack to the U.S. National Security Agency (NSA), alleging that it collaborated with Apple, others have disputed these claims. Kaspersky, however, has stated that it has no evidence to confirm the involvement of either party.