Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.
Someone figured out a way that could hijack iMessage through sending a special malicious PDF that took advantage of a flaw in some legacy font rendering code unique to Apple, that even Apple hadn’t used in decades.
Then, that PDF launched a JavaScript debugger that is built into iPhones, and took advantage of a flaw in that to jump into putting some code into the parts of user memory, that the system doesn’t fully trust.
Then, that code takes advantage of another flaw to bypass the system’s protections for not fully trusting that code, to secretly launch a web browser and navigate to a secret webpage that runs a much bigger piece of malware.
That malware can read and modify basically anything on the system, and was used to read all sorts of sensitive data: message history, location information, app data, etc.
Because the whole exploit chain was so advanced and involved so many different previously unknown vulnerabilities, basically the list of possible suspects is very, very short: some kind of nation state with advanced hacking capabilities.
Someone figured out a way that could hijack iMessage through sending a special malicious PDF that took advantage of a flaw in some legacy font rendering code unique to Apple, that even Apple hadn’t used in decades.
Then, that PDF launched a JavaScript debugger that is built into iPhones, and took advantage of a flaw in that to jump into putting some code into the parts of user memory, that the system doesn’t fully trust.
Then, that code takes advantage of another flaw to bypass the system’s protections for not fully trusting that code, to secretly launch a web browser and navigate to a secret webpage that runs a much bigger piece of malware.
That malware can read and modify basically anything on the system, and was used to read all sorts of sensitive data: message history, location information, app data, etc.
Because the whole exploit chain was so advanced and involved so many different previously unknown vulnerabilities, basically the list of possible suspects is very, very short: some kind of nation state with advanced hacking capabilities.