Just over two weeks after revealing the true extent of the Central Intelligence Agency’s hacking arsenal, WikiLeaks today released more information on its infections designed for Mac and iOS.
These are the tools the agency used to exploit vulnerabilities in Apple’s software and gain persistent access to target computers and mobile devices.
As part of its Vault 7 series, WikiLeaks exposed the CIA’s massive catalog of malware and viruses earlier this month. It includes tools that provide remote control over smartphones, tablets, TVs, and more, and turns them into covert microphones for surveillance.
The latest addition to Vault 7, dubbed “Dark Matter,” exposes the hardware and software developed to hack Mac and iOS devices. The dump includes CIA user guides and manuals that lay out exactly how each one works and how it is executed.
Sonic Screwdriver
Designed to execute code on peripheral devices while a Mac is booting, Sonic Screwdriver uses a hacked Apple Thunderbolt-to-Ethernet adapter to bypass a firmware password. It can be used to boot to a USB thumb stick, optical drive, or external hard drive.
“The intended CONOP for Sonic Screwdriver is to be able to install EDG/AED tools on a Mac even if a firmware password was enabled,” explains the CIA manual. “EDG/AED tools usually requires an operator to boot to a specific device.”
The Sonic Screwdriver works on any Mac with a Thunderbolt port. The user manual contains a step-by-step guide on how the hacked Thunderbolt-to-Ethernet adapter can be created, and how to use it to boot from external devices.
Triton
Another tool developed for Mac, Triton is described as an “automated implant.” Once installed on a target machine, it can be used to execute automated and immediate tasks that feed data and information back to a “listening post” (LP).
It can be used to inject and execute software remotely, to fetch files and folders, and more. Its user guide explains how Triton can be built, how to install it on a target machine, the commands required to execute different tasks, and how to uninstall it remotely.
Der Starke
Der Starke is similar to Triton, but it is an EFI-persistent version that is designed to run on Mac OS X 10.7 and above. It is also compatible with Linux. It performs its network communications through a web browser so that it goes undetected by programs like Little Snitch.
DarkSeaSkies
DarkSeaSkies is a collection of hacks, individually named DarkMatter, SeaPea, and NightSkies, developed for both Mac and iOS. Together, these tools provide the CIA with persistent access to a device, the ability to execute code and fetch files, and more.
It starts with DarkMatter, an EFI driver that is buried in Apple’s firmware, allowing the other two applications to be installed. This is installed using a bootable flash drive, and is configured to “begin operation” at a specified time and date.
If it is successful, the SeaPea kernel can be implemented into a Mac’s RAM image. NightSkies is also written to the NVRAM.
“Once the root file system becomes writable SeaPea will write the NightSkies tool into a temporary file, execute NightSkies, and secure delete the NightSkies tool,” explains the Concept of Operations manual.
Like the Sonic Screwdriver, physical access to a target machine is required to install DarkSeaSkies. The machine must also have occasional internet connectivity to communicate with an LP.
NightSkies version 1.2, released in 2008, was designed to be compatible with the iPhone 3G. “The tool operates in the background providing upload, download and execution capability on the device,” reads the CIA guide.
The list of features includes retrieving files from an iPhone’s address book, SMS app, and call logs; sending files and binaries to the device; executing commands remotely; and granting “full remote command and control.”
What’s interesting about NightSkies 1.2 is that it is designed to be installed on a “factory fresh” iPhone. According to WikiLeaks, this means the CIA used it to infect “the iPhone supply chain of its targets,” before the device made it into their hands.
It is suggested that the agency was able to do this by intercepting mail orders and other shipments before they left the United States.
Taking advantage of Apple’s vulnerabilities
As the previous WikiLeaks dump revealed, these tools were designed to take advantage of vulnerabilities in Apple’s software, which the CIA reportedly withheld — despite a pledge from the Obama administration that they would be reported for addressing.
The user guides and manuals are of no use to anyone who doesn’t possess the malware, but they do reveal the incredible lengths the CIA has gone to to obtain access to smart devices and turn them into covert spying machines.
It is believed that the agency’s arsenal includes software developed in-house, by third-party companies, and with the help of other agencies, including the NSA, FBI, and the U.K.’s GCHQ.
Many have already been patched
A day after the original Vault 7 dump, Apple confirmed that it had already patched “many” of the vulnerabilities the CIA had been exploiting. It also vowed to address others that had been identified.
“Apple is deeply committed to safeguarding our customers’ privacy and security,” the company told BuzzFeed’s John Paczkowski. “The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way.
“Our products and software are designed to quickly get security updates in the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysts indicates many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly to address any identified vulnerabilities.”
Apple urges its users to download the latest versions of macOS and iOS when available to ensure they have its most recent security patches.
Killian Bell is a freelance writer based in the U.K. He has an interest in all things tech and also covers Android over at CultofAndroid.com. You can follow him on Twitter via @killianbell.
7 responses to “WikiLeaks exposes CIA infections for Mac and iOS”
“WikiLeaks exposes CIA infections for Mac and iOS”
Self appointed truth messiah and self-admitted anarchist Julian Assange, is an accused rapist who has chosen to live in exile in the Ecuadorian embassy in London for FOUR YEARS, rather than face his two accusers in Sweden. Assange has also publicly stated that he’s afraid if he comes out of his self-imposed exile, he will be extradited to the U.S. to face charges (and most likely imprisonment) for treasonous acts. He is correct. He has been leaking emails, working with the Russians (a claim he does not deny), and working ardently to sway the 2016 American Presidential election… which he certainly mightily contributed to. These things are treasonous, and absolutely actionable.
My point is this: a man who is so deluded about his role in the world, and who so cavalierly uses the information he steals and leaks, cannot possibly be counted on for anything approaching full and honest disclosure. Even if he were right about all these so-called vulnerabilities in our cell phones and computers (something I doubt), I’d much rather put these whipped up fears aside, and trust Apple and other manufacturers to deal with. Julian Assange, by his highly questionable, highly inappropriate leak of information, may have credibility in his own technical circles, but as an arbiter of fact and how it should be disseminated, he is wholly unqualified, if not a traitor to America… and himself.
Show me proof of a single time that he lied or a single time that his leaks have been successfully disputed. Oh you can’t? You’re just touting propaganda bs. Apple isn’t denying any of the vulnerabilities when they say they are already patched. Yet you fancy yourself more astute than Apple themselves in your idiotic denial of the truth.
Let me understand. You are asking me a question, and immediately answering it? Then, with as much respect as you deserve, bite me. I do not support or respect the work of foreign or domestic traitors, whether they are hiding up in a foreign embassy, or occupying the People’s House. When your mind is more open—or educated—get back to me.
That’s the weakest pivot away from the question ever. Prove me wrong. Answer my question.
Liquid, you said, “Show me proof of a single time that he lied…”
Assuming you mean Julian Assange, please show me exactly where I said he lied. In any event, that you seem to have missed even the essence of my estimation of Assange (remember, an •admitted• anarchist like Steve Bannon), is pretty scary.
nice attempt at sounding reasonable, unfortunately your use of the word “honest”, even when prefixed with the qualifier “full”, does not allow you to squirm out of the fact that you have no proof of his dishonesty. Your belief in the authorities and their allegations of his sex crimes highlights the fact that you are a sad sheepish statist.
I was without work for half a year when my former Fellow worker at last strongly recommended me to start freelancing from home… It was just after I earned $5000 in my initial 30 days when I seriously believed I really could do this for a living! Today I am happier than ever… I work from home as well as I am my own boss now like I always wanted… I see a lot of discouraged people around me, working the same old boring job that’s sucking the everyday life from all of them day-after-day… Everytime I notice anyone similar to that I say START FREELANCING MAN! This is where I started off >>>> http://rasp.is/s8jBN3