Unprecedented iPhone Attack: Discover the ‘Most Sophisticated’ 0-Click Exploit Using Four 0-Days

A major security vulnerability in iMessage has been uncovered and patched by Apple, which leaves iPhones and other Apple devices vulnerable to sophisticated spyware and exploitation until the release of iOS 16.2 in December 2022. The vulnerability, dubbed “Operation Triangulation” by researchers at Kaspersky, was described as the “most sophisticated attack chain” ever seen by the security community.

During a presentation at the Chaos Communication Congress, Kaspersky security researchers Boris Larin, Leonid Bezvershenko, and Georgy Kucherin revealed the details of the advanced iMessage attack. They also shared their findings and work on the Kaspersky SecureList blog.

The attack chain involved the exploitation of four zero-day vulnerabilities to gain root privileges over the victim’s device. These vulnerabilities allowed attackers to send a malicious iMessage attachment that would exploit a remote code execution vulnerability in an undocumented, Apple-only ADJUST TrueType font instruction. The attackers then used various methods, including obfuscated JavaScript exploits and integer overflow vulnerabilities, to gain access to the device’s physical memory and execute spyware.

The researchers outlined each step of the attack chain and expressed their concerns about the remaining mystery surrounding one of the vulnerabilities. They highlighted the need for transparency and collaboration among iOS security researchers to understand how the attackers learned about the hidden hardware feature.

In conclusion, the researchers emphasized the importance of transparency in understanding and addressing security vulnerabilities, stating that systems relying on “security through obscurity” can never be truly secure. They invited other security researchers to contribute to the project by reviewing the technical details provided in the Kaspersky post.