37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers

Рет қаралды 65,891

media.ccc.de

5 ай бұрын

media.ccc.de/v/37c3-11859-ope...
Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of the attack. Now, for the first time, we're ready to tell you all about it. This is the story of the most sophisticated attack chain and spyware ever discovered by Kaspersky.
In this presentation, we will share:
* How we managed to discover and capture all stages of a zero-click attack on iOS, despite the attackers’ efforts to hide and protect it,
* a comprehensive analysis of the entire attack chain, which exploited five vulnerabilities, including four zero-days
* the capabilities of the malware that transforms your phone into the ultimate surveillance tool,
* and the links to previously known malware we were able to find.
oct0xor
kucher1n
bzvr_
events.ccc.de/congress/2023/h...
#37c3 #Security

Пікірлер: 98

@joecincotta5805 4 ай бұрын

This talk just kept escalating! By the time we got to the end I was just in shock.

@JustJustSid 4 ай бұрын

My thoughts exactly. Every time I went "Damn that's crazy" it got crazier. The logistics alone that must be behind this attack is crazy to even think about, there is no way this wasn't done by a nation state attacker with very deep pockets. Absolutely mind boggling attack. Also mad props to Kaspersky labs for figuring all of this out. There are some crazy smart people involved on both sides of this.

@renakunisaki 4 ай бұрын

This is all extremely suspicious. Undocumented debug registers that require a hash? I heard somewhere the hash is related to ECC, so I can conceive of finding this by trial and error, but dang. Burning _two_ kernel exploits, and a Safari exploit from the kernel? They _really_ wanted to hide what they were doing. I guess they hoped people would see the Safari exploit and not think too hard about how it got executed in the first place. The payload is immensely complex, with many clever tricks, suggesting it was written by multiple talented people. The choice of target, and the steps it takes to avoid infecting wrong targets, absolutely reek of the attacker being Not Some Arsehole but rather a large organization... ...and then there's the fact that Apple silently removed those unused, undocumented functions that the exploit used in the font engine. Usually for a security update you warn people that it's important. Perhaps they weren't allowed this time?

@SionynJones 4 ай бұрын

It's definitely not a debug. No one would design a debug system that required signing. The signature is computed using a sbox lookup table which some would need prior knowledge about. It's undocumented and would of not been discovered had these dudes not observed it with this malware. My best guess is coercion but who was coerced apple? Arm? and why Kaspersky? Let alone the possibility of other SoC being compromised.

@carnivorebear6582 4 ай бұрын

@@SionynJonesI've wondered if other ARM chips have this vulnerability. Even across vendors in x86 land there's a lot of overlap in undocumented instructions between Intel, AMD and VIA.

@MCasterAnd 4 ай бұрын

The font thing didn't seem too suspicious, it's entirely possible that Apple saw this was causing crashes and decided to remove it. But the undocumented debug registers, especially the fact that they figured out they need to differentiate the attack a bit between different CPU's.. This reeks of an intentional backdoor

@rahulramteke3338 3 ай бұрын

Apple is in bed with all three letter agencies

@minirop Ай бұрын

@@carnivorebear6582 When a vendor decides to create its own ARM chip (like Apple did), they still need to pass ARM's test suite and follow some rules, so could be.

@libenasukro 4 ай бұрын

It must be maddening to be the architect and coders of something this brilliant, but never be able to discuss it. This is genius level stuff and yet not a word was leaked and they say this has been around for 4 years at least. That's serious discipline.

@sumo-ninja 4 ай бұрын

Looks more like 10 years they are saying now

@JWieg 5 ай бұрын

Absolutely amazing research and great work! And thanks for the recording ccc 🎉

@alzaimar 4 ай бұрын

I'm speechless. About the fact, the research and how cool it was presented.

@TK3C 4 ай бұрын

Fascinating talk, thanks for sharing!

@Zatarra48 5 ай бұрын

Thanks again for the good presentation.

@julianbruns7459 4 ай бұрын

crazy good talk! thank you. i didn´t understand much of the details but it was still super interesting

@casgie 4 ай бұрын

The complexity feels similar to Stuxnet

@abwesend 5 ай бұрын

this was impressive, thank you!

@szpl 4 ай бұрын

44:20 Nice easter egg :D

@NeverGiveUpYo 4 ай бұрын

Just epic. Thanks for sharing.

@ac12223 4 ай бұрын

This was crazy good

@Versette 4 ай бұрын

Very interesting presentation! 😄

@Th3Mag1c1an 4 ай бұрын

The person behind creating this would be one hell of a computer genius. How in the world does that person stay this much motivated? Maybe he gets a lot better pay than us. Causal NSA. They have more in store than we could imagine.

@seonor 4 ай бұрын

Most likely this wasn't just one person, but several teams for each step, and some of the needed 0days might also have been bought from others.

@TheSwanies 4 ай бұрын

It's most likely an entire team of researchers

@vladislavivanov2511 4 ай бұрын

This sort of thing isn’t a single person effort. There’s a good chance it’s a state actor too

@SadeN_0 4 ай бұрын

This whole thing could easily be something like $5-10 million in 0day black market value. that's a few dubloons to motivate a couple of people. kind of a smooth brain move to burn the whole chain on a security researcher's phone, at their workplace

@wr3ckr270 4 ай бұрын

@@SadeN_0 Make it 500-1000 million. This is actually the worst nightmares coming true.

@Lino1259 4 ай бұрын

Crazy good talk! Up there with David Kriesel.

@wr3ckr270 4 ай бұрын

True. David Kriesel level of talk.

@saferugdev8975 4 ай бұрын

imo these guys are like 1-2 universes ahead on the technical level (im thinking compared to the printer scandal) but david has the charisma and confidence to make up for it and provide an overall equally interesting talk

@cybersamurai99 2 ай бұрын

Amazing talk, scary stuff out there.

@etziowingeler3173 4 ай бұрын

Thx for recording!

@xCheddarB0b42x 4 ай бұрын

This is incredible.

@pardal_bs 4 ай бұрын

This is an insane exploit chain. It makes you wonder how they found all those 0-days, especially the undocumented registers and the hash algorithm...

@SadeN_0 4 ай бұрын

Absolutely bananas

@MewK_ 4 ай бұрын

Impressive!

@eltebux 19 күн бұрын

Crazy how such a sophisticated piece of attack has an MD5 hash in the mix…

@OutbackCatgirl 4 ай бұрын

homicidalwombat is a pretty banger email address ngl

@blaaaaaaaaaaaaa 4 ай бұрын

makes me feel so dumb :P breathtaking work guyz!

@Dr-Zed 4 ай бұрын

This makes iLeakage look like a joke

@TotoMacFrame 5 ай бұрын

Crazy. Not that I understand much of it, but how the hell do I calculate the has of a rendered triangle? And how does this lead to device fingerprinting? I imagine the hash of that triangle is different on each device, but how is this coming, technology wise?

@caiocc12 4 ай бұрын

Probably just taking the rasterized result from the framebuffer and hashing that. With anti-aliasing, the target GPU may render it with an imperceptible change in a pixel color around the triangle's edge and that is enough. There are so many layers to that it's hard to believe it's not a backdoor.

@ralphorama 4 ай бұрын

canvas fingerprinting is pretty common on the modern web, I know TikTok's web frontend uses it for tracking. BrowserLeaks says, "this technique relies on variations in how canvas images are rendered on different web browsers and platforms to create a personalized digital fingerprint of a user's browser."

@TyrHeimdal 4 ай бұрын

Just google "canvas fingerprinting", the techniques have been widely known for 10 years to uniquely fingerprint devices. It's still widely in use today, and mitigations will (still to this day) cause you to have worse performance on the interwebz.

@wr3ckr270 4 ай бұрын

Plot Twist: Apple themselves is behind this one.

@joaoalonso6942 4 ай бұрын

This attack is way too complex to be done by a joe schmoe. Imo, it seems to be government sponsored.

@rahulramteke3338 3 ай бұрын

It is NSA, CIA, TAO did this

@joecincotta5805 4 ай бұрын

How many other obscure register mappings exist on all the soc around the world!? There is no such thing as security 😢

@prodbyfaith 4 ай бұрын

That's why RISC-V is the future

@schlo9358 4 ай бұрын

@@prodbyfaith what do RISC-V diffrently?

@carnivorebear6582 4 ай бұрын

@schlo9358 It's an open source architecture, unfortunately those in charge of the project are elitest and not interested in taking advantage of all those who would be willing to contribute. I think any open source FPGA implementation of a CPU core would be pretty secure though, no one will write the code to implement functionality which is unknown.

@alienmajik3798 4 ай бұрын

I wonder if they updated tinycheck to detect these IOC’s

@k0in640 3 ай бұрын

can someone clarify why the attackers use two different kernel exploits?

@scilor 4 ай бұрын

Love this QR: 44:11

@Silas_229 4 ай бұрын

Now we not only have to recognize the youtube link but also the qr code at different levels of error correction

@Themoonisachees 4 ай бұрын

@@Silas_229 dQwM and spotify's short-middle-short-tall are already burned in my memory for far longer than either spotify or youtube will exist

@ttrss 4 ай бұрын

KHEm (NSA) Khem

@JonathanHarkerYT 4 ай бұрын

I’m no expert on this, so sorry for my lack of knowledge. But I’ve seen many of these 0 days are reset by rebooting/restarting the phone/mac. Would it be a common an advisable practice to shutdown/reboot all devices once a day? Just like old computers and old phones. It would prevent their persistence and damage potential (I’m not wrong mistaken). Best regards and sorry again if something was misunderstood.

@V4ker 4 ай бұрын

It depends on how difficult it is to exploit a particular attack chain. If it's a more or less reliable 0-click like described in this video, you will annoy hackers by restarting the phone, but ultimately as soon as you do a restart they can just perform attack again right away. But for anything else, especially something that requires your interaction to be exploited, restarts once per day will be very effective. In general, if you think you might be targeted, it's a good measure, but not an ultimate one - and keep in mind that ultimate measures don't exist :)

@SionynJones 4 ай бұрын

What I wonder is if any other arm based SoCs have this vulnerability?

@2k18banvalaki5 4 ай бұрын

Very likely yes. Even Nintendo Switch has a hardware vulnerability regarding to the GPU cores being able to bypass PPL. I bet on other android phones that are not this wide spread there are even more vulnerabilities. Not to mention the kernel is open source (with the patches manufacturers applied). And I have heard if a few times when Samsung Exynos chips had vulnerabilities too.

@xCheddarB0b42x 4 ай бұрын

VaaS - vulns as a service.

@interested8430 25 күн бұрын

Where can I go to check my iPhone? I didn't catch what they said?

@judgewooden 4 ай бұрын

Title of video should be: Apple's backdoor in iphone exposed.

@sbjf 4 ай бұрын

state actor?

@DigDowner 4 ай бұрын

Very interesting! I'm wondering, would you feel your phone 'inexplicably' heat up and see its battery drain faster when Apple Neural Engine analyzes thousands of images and files? Seems like a power-intensive process...

@jasopolis 4 ай бұрын

I doubt it - this processing is also regularly done by iOS for legitimate purposes (e.g. being able to search photos by keyword like ‘beach’, OCR features in Photos, etc)

@carnivorebear6582 4 ай бұрын

The neural engine as a whole is a fairly small chunk of silicon relative to CPU/GPU, hence its power usage it's not going to be that noticeable heat wise. Would make some difference to battery life but not sure if it would be big enough to jump out as being fishy

@eagle56786 4 ай бұрын

the processing has already been done

@wrakowic 4 ай бұрын

But the analysis is done when the picture is taken, and results are saved as metadata right? Therefore there wouldn’t be additional mass processing.

@eagle56786 4 ай бұрын

yes, exactly. the attackers just exfiltrate the metadata your iPhone has already processed, and store it on their end, for lack of a better term@@wrakowic