WikiLeaks exposes CIA infections for Mac and iOS


These are the sophisticated tools designed to exploit Apple vulnerabilities.
These are the sophisticated tools designed to exploit Apple vulnerabilities.

Just over two weeks after revealing the true extent of the Central Intelligence Agency’s hacking arsenal, WikiLeaks today released more information on its infections designed for Mac and iOS.

These are the tools the agency used to exploit vulnerabilities in Apple’s software and gain persistent access to target computers and mobile devices.

As part of its Vault 7 series, WikiLeaks exposed the CIA’s massive catalog of malware and viruses earlier this month. It includes tools that provide remote control over smartphones, tablets, TVs, and more, and turns them into covert microphones for surveillance.

The latest addition to Vault 7, dubbed “Dark Matter,” exposes the hardware and software developed to hack Mac and iOS devices. The dump includes CIA user guides and manuals that lay out exactly how each one works and how it is executed.

Sonic Screwdriver

Designed to execute code on peripheral devices while a Mac is booting, Sonic Screwdriver uses a hacked Apple Thunderbolt-to-Ethernet adapter to bypass a firmware password. It can be used to boot to a USB thumb stick, optical drive, or external hard drive.

“The intended CONOP for Sonic Screwdriver is to be able to install EDG/AED tools on a Mac even if a firmware password was enabled,” explains the CIA manual. “EDG/AED tools usually requires an operator to boot to a specific device.”

The Sonic Screwdriver works on any Mac with a Thunderbolt port. The user manual contains a step-by-step guide on how the hacked Thunderbolt-to-Ethernet adapter can be created, and how to use it to boot from external devices.


Another tool developed for Mac, Triton is described as an “automated implant.” Once installed on a target machine, it can be used to execute automated and immediate tasks that feed data and information back to a “listening post” (LP).

It can be used to inject and execute software remotely, to fetch files and folders, and more. Its user guide explains how Triton can be built, how to install it on a target machine, the commands required to execute different tasks, and how to uninstall it remotely.

Der Starke

Der Starke is similar to Triton, but it is an EFI-persistent version that is designed to run on Mac OS X 10.7 and above. It is also compatible with Linux. It performs its network communications through a web browser so that it goes undetected by programs like Little Snitch.


DarkSeaSkies is a collection of hacks, individually named DarkMatter, SeaPea, and NightSkies, developed for both Mac and iOS. Together, these tools provide the CIA with persistent access to a device, the ability to execute code and fetch files, and more.

It starts with DarkMatter, an EFI driver that is buried in Apple’s firmware, allowing the other two applications to be installed. This is installed using a bootable flash drive, and is configured to “begin operation” at a specified time and date.

If it is successful, the SeaPea kernel can be implemented into a Mac’s RAM image. NightSkies is also written to the NVRAM.

“Once the root file system becomes writable SeaPea will write the NightSkies tool into a temporary file, execute NightSkies, and secure delete the NightSkies tool,” explains the Concept of Operations manual.

Like the Sonic Screwdriver, physical access to a target machine is required to install DarkSeaSkies. The machine must also have occasional internet connectivity to communicate with an LP.

NightSkies version 1.2, released in 2008, was designed to be compatible with the iPhone 3G. “The tool operates in the background providing upload, download and execution capability on the device,” reads the CIA guide.

The list of features includes retrieving files from an iPhone’s address book, SMS app, and call logs; sending files and binaries to the device; executing commands remotely; and granting “full remote command and control.”

What’s interesting about NightSkies 1.2 is that it is designed to be installed on a “factory fresh” iPhone. According to WikiLeaks, this means the CIA used it to infect “the iPhone supply chain of its targets,” before the device made it into their hands.

It is suggested that the agency was able to do this by intercepting mail orders and other shipments before they left the United States.

Taking advantage of Apple’s vulnerabilities

As the previous WikiLeaks dump revealed, these tools were designed to take advantage of vulnerabilities in Apple’s software, which the CIA reportedly withheld — despite a pledge from the Obama administration that they would be reported for addressing.

The user guides and manuals are of no use to anyone who doesn’t possess the malware, but they do reveal the incredible lengths the CIA has gone to to obtain access to smart devices and turn them into covert spying machines.

It is believed that the agency’s arsenal includes software developed in-house, by third-party companies, and with the help of other agencies, including the NSA, FBI, and the U.K.’s GCHQ.

Many have already been patched

A day after the original Vault 7 dump, Apple confirmed that it had already patched “many” of the vulnerabilities the CIA had been exploiting. It also vowed to address others that had been identified.

“Apple is deeply committed to safeguarding our customers’ privacy and security,” the company told BuzzFeed’s John Paczkowski. “The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way.

“Our products and software are designed to quickly get security updates in the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysts indicates many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly to address any identified vulnerabilities.”

Apple urges its users to download the latest versions of macOS and iOS when available to ensure they have its most recent security patches.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.