The years 2019 to 2022 gave rise to a huge tech vulnerability that is said to have affected iPhone users across the globe.
The attack in question was called out to be the most advanced and sophisticated of all times and it revolved around Operation Triangulation thanks to leading researchers from Kaspersky who were the first to explore it.
Now, they’ve ended up sharing everything regarding the ordeal that wreaked havoc.
Researchers who go by the name Boris, Larin, Leonid Bezvershenko, and more presented the findings through a report. This was also the first time in public that such intense details about the attack were being unveiled to the general public. All kinds of risks, exploitations, and vulnerabilities were talked about too for this advanced version of the iMessage attack.
The authors of the study also shed light on their findings via the SecureList blog from Kaspersky. Referred to it as a major technical attack which is better known as Pegasus 0-Click that exploited iMessage users, it was dubbed as a scary ordeal.
It lasted until we saw the existence of iOS 16.2 which was rolled out toward the end of last year.
There is a complete breakdown of how the chain attack arose and we’re summarizing the findings for you below. It’s remarkable how many steps were taken to attain control over the victim’s device.
As mentioned by hackers, there was a malicious-themed alert sent out in the form of an attachment that apps processed without obtaining consent from the user who owned the device. The vulnerability exposed remote code vulnerabilities. This kind of instruction existed during the early nineties, right before a solo patch got rid of it.
It made use of return/jump-oriented programming and several stages mentioned through the NSExpression query terminology. The exploitation was mentioned through JavaScript. In the end, it exploited the JavaScriptCore’s debugging option and ended up manipulating the script’s memory to carry out more API functions.
This vulnerability supported newer and older versions of iPhones from Apple with PAC used for the exploitation of newer models. It made use of an integral vulnerability to attain access to the device’s physical memory too.
These were just some of the many means through which the vulnerability attacked the device and now it’s proof of how carefully it was designed to trick devices and achieve its goal of commanding the phone.
The researchers in this case call their study a breakthrough of novelty and the fact that they could reverse engineer nearly all aspects of the attack through a chain of events was a point worth mentioning. They hope to add more insights through research in the year 2024 and they’ll be going in-depth regarding the situation and breaking down all vulnerabilities and how it carried out attacks.
They have similarly spoken about a mystery that continues to exist in today’s day and age, as far as the CVI-2023-38606 is concerned. According to them, it’s still hard to figure out how attackers became aware of hidden hardware endeavors.
With the release of more technical developments, they hope to provide assistance to researchers at iOS and would also be needing their assistance in terms of finding the right explanation about what went on and how it could be avoided in the future.
In the end, the authors added how iMessage systems emphasize security alerts via obscurity which in itself has major flaws as far as security is concerned.
Photo: Digital Information World - AIgen
Read next: OpenAI And Microsoft Hit By Major Lawsuit After Being Accused Of Copyright Infringement By The New York Times
The attack in question was called out to be the most advanced and sophisticated of all times and it revolved around Operation Triangulation thanks to leading researchers from Kaspersky who were the first to explore it.
Now, they’ve ended up sharing everything regarding the ordeal that wreaked havoc.
Researchers who go by the name Boris, Larin, Leonid Bezvershenko, and more presented the findings through a report. This was also the first time in public that such intense details about the attack were being unveiled to the general public. All kinds of risks, exploitations, and vulnerabilities were talked about too for this advanced version of the iMessage attack.
The authors of the study also shed light on their findings via the SecureList blog from Kaspersky. Referred to it as a major technical attack which is better known as Pegasus 0-Click that exploited iMessage users, it was dubbed as a scary ordeal.
It lasted until we saw the existence of iOS 16.2 which was rolled out toward the end of last year.
There is a complete breakdown of how the chain attack arose and we’re summarizing the findings for you below. It’s remarkable how many steps were taken to attain control over the victim’s device.
As mentioned by hackers, there was a malicious-themed alert sent out in the form of an attachment that apps processed without obtaining consent from the user who owned the device. The vulnerability exposed remote code vulnerabilities. This kind of instruction existed during the early nineties, right before a solo patch got rid of it.
It made use of return/jump-oriented programming and several stages mentioned through the NSExpression query terminology. The exploitation was mentioned through JavaScript. In the end, it exploited the JavaScriptCore’s debugging option and ended up manipulating the script’s memory to carry out more API functions.
This vulnerability supported newer and older versions of iPhones from Apple with PAC used for the exploitation of newer models. It made use of an integral vulnerability to attain access to the device’s physical memory too.
These were just some of the many means through which the vulnerability attacked the device and now it’s proof of how carefully it was designed to trick devices and achieve its goal of commanding the phone.
The researchers in this case call their study a breakthrough of novelty and the fact that they could reverse engineer nearly all aspects of the attack through a chain of events was a point worth mentioning. They hope to add more insights through research in the year 2024 and they’ll be going in-depth regarding the situation and breaking down all vulnerabilities and how it carried out attacks.
They have similarly spoken about a mystery that continues to exist in today’s day and age, as far as the CVI-2023-38606 is concerned. According to them, it’s still hard to figure out how attackers became aware of hidden hardware endeavors.
With the release of more technical developments, they hope to provide assistance to researchers at iOS and would also be needing their assistance in terms of finding the right explanation about what went on and how it could be avoided in the future.
In the end, the authors added how iMessage systems emphasize security alerts via obscurity which in itself has major flaws as far as security is concerned.
Read next: OpenAI And Microsoft Hit By Major Lawsuit After Being Accused Of Copyright Infringement By The New York Times
