Advanced Exploit Chain Affecting Older iOS Versions Detailed by Kaspersky

Dan Goodin, Ars Technica:

Researchers on Wednesday presented intriguing new findings surrounding an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky. Chief among the discoveries: the unknown attackers were able to achieve an unprecedented level of access by exploiting a vulnerability in an undocumented hardware feature that few if anyone outside of Apple and chip suppliers such as ARM Holdings knew of.

“The exploit’s sophistication and the feature’s obscurity suggest the attackers had advanced technical capabilities,” Kaspersky researcher Boris Larin wrote in an email. “Our analysis hasn’t revealed how they became aware of this feature, but we’re exploring all possibilities, including accidental disclosure in past firmware or source code releases. They may also have stumbled upon it through hardware reverse engineering.”

The post on Kaspersky’s site has more technical information about the chain of exploits used here.

As you might recall, Russian intelligence officials claimed Apple assisted the NSA to build this malware — something which Apple has denied and, it should be noted, no proof has been provided for Apple’s involvement or the NSA’s. It does not appear there is any new evidence which would implicate Apple. But it is notable that it relied on an Apple-specific TrueType specification, and bypasses previously undisclosed hardware memory protections. To be clear, neither of those things increases the likelihood of Apple’s alleged involvement in my mind. It does show how disused or seemingly irrelevant functions remain vulnerable and can be used by sophisticated and likely state-affiliated attackers.