WikiLeaks has been gradually dumping documents it claims to have gotten from the CIA over the last few weeks, and the latest batch from what it’s calling Vault 7 purports that the U.S. intelligence agency has been targeting users of Apple’s Macs and iPhones. According to the organization, the CIA has several projects aimed at infecting Mac firmware and breaking into iPhones.
You may recall that Apple said after the first WikiLeaks Vault 7 dump that it had already patched most of the vulnerabilities the organization had revealed. It will be interesting to see if the company stays quiet or says the same thing again after it’s had some time to review this latest batch of documents.
WikiLeaks’ “Dark Matter” reveals targeting of Apple users
WikiLeaks is calling this section of its Vault 7 leak “Dark Matter.” It contains documents which explain how the agency is able to get “persistence” on Apple’s Macs and iPhones. The documents also demonstrate how the CIA uses “EFI/UEFI and firmware malware.”
One of the projects highlighted in the documents is called “Sonic Screwdriver,” which the CIA reportedly describes as “a mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting.” According to WikiLeaks, this means hackers are able to boost their “attack software” from a USB stick even if the device’s “firmware password is enabled.” To use the “Sonic Screwdriver” software, the CIA stores it on a Thunderbolt-to-Ethernet adapter that has firmware that’s been modified.
Any Mac computer with a Thunderbolt port can be targeted with “Sonic Screwdriver,” according to the user manual that’s been leaked. The user manual sets out a very simple step-by-step method for hacking into a Mac laptop or desktop using this software. Aside from just knowing that the CIA can do this, what’s also disturbing is that now anyone can see how the CIA does it and even do it themselves.
CIA has a suite of malware tools for Macs
WikiLeaks also released documents about the Triton malware for MacOSX and a full “suite” of tools the CIA apparently uses to break into MacBook Air computers. The documents describe “DarkSeaSkies” as “an implant that persists in the EFI firmware of an Apple MacBook Air.” It has three components for EFI, kernel-space and user-space implants.
This Vault 7 leak also contains documents about DerStarke, which is part of the Triton malware for MacOSX. Apparently, the CIA was still using it as recently as last year and continues to work on DerStarke2.0.
iPhones might be coming off the line with bugs baked in
As if the CIA being able to break into Mac computers isn’t terrifying enough, WikiLeaks claims that some iPhones may even be coming off the production line with vulnerabilities baked right into them. Today’s batch of documents contains details on “NightSkies 1.2, which is a “beacon/loader/implant tool” for the iPhone.
According to WikiLeaks, NightSkies is designed to be physically installed onto iPhones fresh from the factory, which suggests that CIA agents physically handle the iPhones right out of the factory and install the tool onto them. The organization claims that the intelligence agency has been “infecting” its targets’ iPhone supply chain “since at least 2008.”
WikiLeaks notes that sometimes spies physically infect iPhones while they’re in the target’s custody, but it suggests that many of these physical attacks have come through the supply chain of the organization that’s being targeted. WikiLeaks suggests that this could include intercepting devices that have been ordered by the target. The organization state that the agency could obtain access to the devices while they’re in transit to the target, infect them with the tool and then drop them back in the mail.
Is this how officials cracked the terrorist’s iPhone?
All of these documents bring to mind the San Bernardino shooter whose iPhone the CIA sought Apple’s help with in unlocking it. The company refused to help, so officials took it to court, only to drop their legal efforts later after they were able to crack the iPhone without its help.
From all of these leaked documents (assuming they’re real), it seems pretty clear that the CIA has a massive toolbox when it comes to hacking Apple devices. It couldn’t be difficult for government hackers with these tools to break into an Apple device, which begs the question of why officials would try to ask for the company’s help at all.
And Apple’s not the only big tech name to get the “pleasure” of attention from the CIA. Another batch of documents from WikiLeaks’ Vault 7 dump pointed to BlackBerry QNX as being targeted.