Operation Triangulate: Casually 0-click pwning iOS with undocumented hardware registers

I… uh… well, you know that image of the security researcher sort gibbering quietly and incoherently in the corner after Meltdown/Spectre/Foreshadow/etc all came out, because the hardware wouldn’t hold secrets?

The latest (discovered/discussed…) iOS exploit is the sort of thing that makes you want to do exactly the same thing.

From someone on Twitter:

Yup. Anyway.

Operation Triangulation: The last (hardware) mystery | Securelist is an overview of the undocumented GPU debug hardware registers used to just casually waltz past page table protections and such by writing physical addresses.

Operation Triangulation | Securelist is a list of other related posts on this bit of malware.

https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/ is Dan Goodin’s quite accessible writeup on the matter.

But I’ll just quote their description of the exploit chain here. You may want to sit down.


It’s got just about everything you could want in a spy novel grade exploit. PAC bypass. Unknown hardware registers to bypass [everything]. Chains of vulnerabilities. And, of course, it starts off with an iMessage 0click 0day in some weird-ass Apple-only legacy extension from the 90s.

My advice? Enable Lockdown if you have it, then shut your phone off, put it in a Faraday bag, and kiss your ass goodbye.

This is the state of modern computing security, in glorious, high definition detail: “Oh. You’re fucked. Sorry.”

Yikes! “The exploit targets Apple A12-A16 Bionic SoCs” found not only in iPhones, but also Apple TV, Apple Studio Display (a monitor featuring “Hey Siri”; an IoT device), iPads, MacBooks, and likely other products **1 not yet documented.

Silicon bugs will be with us for years, probably decades!

**1 - Apple silicon - Wikipedia

… the monitor is… oh my. Dear future, I’d like to get off!

The good news is that at least it’s fairly easy to block these registers - they added a “deny” bit to the device tree blob, though at some point if you’ve already got some kernel execution I’m not sure how much this helps.

Anyway, it’s fine. This is all fine. Computers are in everything, so what choice do we have?