Trigon – A New Exploit Threatening the Security of iOS Devices

Cybersecurity researchers have discovered a new dangerous exploit targeting Apple iOS devices. This exploit, named Trigon, takes advantage of a critical vulnerability in the management layer of the iOS operating system. The vulnerability was first uncovered by Kaspersky and was used in the “Operation Triangulation” spyware campaign.

Trigon allows attackers to gain control over the system’s internal management capabilities, bypass security mechanisms, and secretly read and write data.

At the heart of Trigon lies the CVE-2023-32434 vulnerability, found in one of iOS’s critical functions – mach_make_memory_entry_64.

By exploiting this vulnerability, attackers can create a fake memory block exceeding 18,000 petabytes, far beyond the normal hardware limits of the device. This is caused by an unrecognized calculation error in the memory management system.

This vulnerability allows attackers to bypass security checks, and the exploit can be triggered using the following parameters:

size=0xFFFFFFFFFFFFC000, offset=0x8000

Manipulating these values causes miscalculations in the system, weakening its security mechanisms.

How Does the Exploit Work?

1. Creating a Malicious Memory Block

The first stage of Trigon exploitation involves leveraging a memory region allocated for the GPU (Graphics Processing Unit). Attackers create an IOSurface object and assign it the PurpleGfxMem property, allowing them to bypass protection mechanisms.

As a result, normally restricted memory regions of the system can be accessed.

2. Accessing Physical Memory

In the next stage, the exploit allows attackers to gain direct access to system memory. This is done using the mach_vm_map function, along with precise calculations to locate critical areas of the iOS operating system.

For example, a special data set known as iboot-handoff is stored in DRAM during system boot. By analyzing this data, attackers can determine critical structures within iOS.

3. Gaining Full Control Over the System

The ultimate goal of Trigon is to grant attackers unrestricted privileges within iOS. To achieve this, the exploit creates thousands of IOSurface objects, scanning memory and selecting specific ones to bypass protection layers.

By scanning the pv_head_table, which tracks memory page types, attackers identify key regions and modify critical structures like task_t and proc_t, allowing them to gain root privileges and disable sandboxing mechanisms.

Trigon has been confirmed to affect A10(X) chip-based devices (such as iPhone 7 and iPad 6th Gen) running iOS versions 13 to 16.5.1.

However, newer devices based on A11, A12, and later are less vulnerable due to enhanced security mechanisms, including:

✅ PAC (Pointer Authentication Codes) – Prevents modification of critical system structures.
✅ PPL (Page Protection Layer) & CTRR (Configurable TRR) – Block unauthorized memory manipulation.
✅ iboot-handoff data on newer devices is placed in a secure zone, making exploit execution impossible.

Despite these protections, Trigon remains a serious threat, as it does not rely on traditional memory corruption bugs or race conditions, making it harder to detect.

🔹 Apple has patched this vulnerability in iOS 16.5.1. If you’re running an older version, update your device immediately.
🔹 Jailbroken devices are especially vulnerable to such exploits. Avoid unauthorized modifications.
🔹 Organizations and enterprises should conduct regular security audits on iOS devices and apply necessary security measures.
🔹 Kaspersky researchers are continuing their investigation into new variations of this exploit and are expected to release further details.

To defend against such threats, Apple must implement stronger security protections at the System on Chip (SoC) level, as modern exploits are increasingly capable of bypassing traditional security mechanisms.

The best defense is regular software updates and a comprehensive cybersecurity strategy.