hngopher.com

       [HN Gopher] Operation Triangulation: iOS devices targeted with p...
       ___________________________________________________________________
        
       Operation Triangulation: iOS devices targeted with previously
       unknown malware
        
       Author : fortran77
       Score  : 101 points
       Date   : 2023-06-01 14:07 UTC (1 days ago)
        
 (HTM) web link (securelist.com)
 (TXT) w3m dump (securelist.com)
        
       | snazz wrote:
       | Interesting that this exploit has continued to work through 15.7.
       | Apple's earlier BlastDoor system (introduced with iOS 14) clearly
       | hasn't done enough to stop future zero-click iMessage exploits,
       | so I wonder what attack surface these bugs are found in. Does
       | anyone have a more complete understanding of why the BlastDoor
       | mitigation has been so insufficient?
        
         | TazeTSchnitzel wrote:
         | AIUI they put a lot of the message parsing into its own tightly
         | sandboxed process. That surely makes exploitation harder, but
         | ultimately that process will have to communicate the results of
         | parsing to other processes, and considering the huge diversity
         | of things iMessage messages can do, there must still be a lot
         | of vulnerable surface area?
        
         | mozman wrote:
         | Lock down mode blocks all SMS attachments. It's a bit annoying
         | but a wonderful feature.
        
       | chatmasta wrote:
       | > The malicious toolset does not support persistence, most likely
       | due to the limitations of the OS.
       | 
       | This is a reminder to reboot your device if you haven't in a
       | while. I have an app called iVerify, from Trail of Bits, which
       | sends me periodic notifications reminding me to reboot or upgrade
       | my OS.
        
       | walterbell wrote:
       | Can iMessage be disabled by MDM / Apple Configurator policy?
        
         | traceroute66 wrote:
         | > Can iMessage be disabled by MDM / Apple Configurator policy?
         | 
         | Yes to both.
         | 
         | Don't forget iOS 16 lockdown mode as well as a third option.
        
       | paywallasinbeer wrote:
       | So light on details that it's useless. Apparently, the actual
       | IoCs and details are here https://securelist.com/operation-
       | triangulation/109842/
        
         | dang wrote:
         | Belatedly changed from https://securelist.com/trng-2023/.
         | Thanks!
        
       | blakesterz wrote:
       | I think that link is just a bit off, the report and details is
       | here
       | 
       | https://securelist.com/operation-triangulation/109842/
        
         | dang wrote:
         | Belatedly changed from https://securelist.com/trng-2023/.
         | Thanks!
        
       | highwaylights wrote:
       | Would be interested to know if by 15.7 they mean that it's
       | currently a zero-day for 15.7.X devices, or if it's since been
       | patched in security updates. Also not clear if any 16.X software
       | is vulnerable.
       | 
       | Obviously not a good thing either way, but the most important
       | part of this from the user perspective is whether or not up-to-
       | date devices are vulnerable.
        
       | bwj982 wrote:
       | Does iOS lockdown mode mitigate this vulnerability?
        
         | galad87 wrote:
         | The article says the most recent version of iOS targeted is
         | 15.7, which don't have the lockdown mode (it was introduced in
         | iOS 16). There isn't any details on how the exploit works yet,
         | so it's hard to say.
        
           | bwj982 wrote:
           | Thank you, I missed that detail
        
       | olliej wrote:
       | " The malicious toolset does not support persistence, most likely
       | due to the limitations of the OS"
       | 
       | This is an interesting way of phrasing "the OS is secure enough
       | that even with full RCE and launching a separate binary, the
       | attack cannot make itself survive a reboot"
        
       | dustyharddrive wrote:
       | Why do these attacks ever use WiFi? Or plaintext DNS?
        
       | dang wrote:
       | Recent and related. Others?
       | 
       |  _Scan iPhone backups for traces of compromise by "Operation
       | Triangulation"_ - https://news.ycombinator.com/item?id=36164340 -
       | June 2023 (129 comments)
       | 
       |  _Targeted attack on our management with the Triangulation
       | Trojan_ - https://news.ycombinator.com/item?id=36161392 - June
       | 2023 (105 comments)
       | 
       |  _Kaspersky Blog: "Triangulation" Attack on iOS_ -
       | https://news.ycombinator.com/item?id=36154166 - June 2023 (4
       | comments)
        
         | r721 wrote:
         | >"Clickless" iOS exploits infect Kaspersky iPhones with never-
         | before-seen malware
         | 
         | https://news.ycombinator.com/item?id=36154455
        
       | mmastrac wrote:
       | Is this a PDF exploit?
       | 
       | > Data usage information of the services
       | com.apple.WebKit.WebContent,
       | powerd/com.apple.datausage.diagnostics,
       | lockdownd/com.apple.datausage.security
        
       ___________________________________________________________________
       (page generated 2023-06-02 23:01 UTC)