Operation Triangulation -- 0-Click Exploit Chain
Operation Triangulation is a sophisticated 0-click exploit chain targeting iOS, discovered by Kaspersky in 2023 on their own employeesβ devices. Most notable: the exploit uses UNDOCUMENTED hardware features that no one knew existed.
Overview
| Field | Detail |
|---|---|
| Discovered | Kaspersky Lab, 2023 |
| Type | 0-click (no user interaction) |
| Entry point | iMessage |
| iOS range | 15.7 β 16.x |
| Unique aspect | Exploits undocumented hardware MMIO registers |
| Attribution | Unknown (nation-state suspected) |
Exploit Chain
Step 1: iMessage 0-click
βββ Malicious iMessage attachment triggers WebKit vulnerability
βββ Code execution in WebContent process (sandboxed)
Step 2: Sandbox Escape
βββ Exploit vulnerability in system service reachable from WebContent
βββ Code execution outside sandbox
Step 3: Kernel Exploit
βββ Kernel vulnerability β kernel read/write
βββ Full kernel access
Step 4: PPL Bypass (THE NOVEL PART)
βββ Uses undocumented hardware MMIO registers:
- Registers at specific physical addresses
- Allow modifying page table entries
- BYPASS PPL completely
- Apple (and even security researchers) did not know these registers existed
Step 5: Persistent Implant
βββ Install spyware payload
- Record microphone
- Access photos, messages, location
- Exfiltrate data
Undocumented Hardware Registers
This is the most shocking part:
Registers at hardware addresses:
- Capable of modifying memory mappings
- Bypass all software protection (PPL, KTRR checks)
- NO documentation
- NO reference in public SDK
- NOT mentioned publicly by Apple engineers
Open questions:
- Debug/test registers from chip development?
- Intentional backdoor?
- Forgotten feature?
- Who knew about these registers besides the attackers?
Apple's response:
- Silently patched (removed/protected registers)
- CVE-2023-38606 assigned
- No public explanation of register purpose
Lessons
1. Hardware Attack Surface
Software security is not enough:
- All software mitigations were bypassed by a hardware feature
- Undocumented hardware = unknown attack surface
- Chip complexity β more hidden features
2. 0-Click Danger
The victim does not need to:
- Click a link
- Open an attachment
- Install an app
Just receiving an iMessage β compromised
β Highlights importance of services like iMessage, FaceTime
3. Exploit Chain Complexity
4 separate vulnerabilities chained:
WebKit β sandbox escape β kernel β PPL bypass
Each vulnerability is a different class, different component
β Extreme expertise required across multiple domains
4. Impact on Jailbreak Community
PPL bypass technique from Op. Triangulation:
β Adapted by Dopamine jailbreak
β Hardware MMIO approach became a known technique
β Apple patched β future jailbreaks need to find alternatives
Resources
- Kaspersky β Operation Triangulation (original disclosure)
- 37C3 Presentation β Operation Triangulation (detailed technical talk)
- Kaspersky β Most Sophisticated iPhone Attack Chain