Security Experts:

WikiLeaks Releases Data on CIA's Apple Hacking Tools

CIA Apple hacking tools

WikiLeaks has released a new round of Vault 7 files. The latest dump, dubbed “Dark Matter,” details some of the tools allegedly used by the CIA to target Apple devices.

The tools are named Sonic Screwdriver, Der Starke, Triton, DarkSeaSkies, NightSkies and SeaPea and, based on the descriptions provided in the files made available by WikiLeaks, they can be used to spy on iPhones and Mac computers. However, in most cases, deploying them requires physical access to the targeted device.

Sonic Screwdriver, for instance, is a tool that can be used to execute code from a USB thumb drive or other external disk connected to a Mac laptop even if the firmware is protected by a password. The documents obtained by WikiLeaks show that Sonic Screwdriver is stored on the firmware of a Thunderbolt-to-Ethernet adapter.

The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, and it’s meant to be delivered via “a supply chain intercept or a gift to the target.” DarkSeaSkies relies on the DarkMatter EFI driver for persistence and installing other tools, and the SeaPea OS X rootkit for stealth and execution of other implants. One such implant is NightSkies, which provides command and control capabilities.

The documents show DarkSeaSkies can be installed by booting the targeted system with an external flash drive. The implant is persistent across OS upgrades and reinstalls, but it can be removed by the attacker using a special command. Under certain conditions, the implant may also remove itself automatically.

Another set of tools includes a piece of OS X malware dubbed Triton, its infector Dark Mallet, and Der Starke, the EFI-persistent version of Triton.

One version of the NightSkies tool is designed for targeting iPhones. Once installed on a device, it can be used to execute arbitrary commands, download additional tools to the phone, and steal various types of files, including the address book, SMS messages and call logs. NightSkies, which also requires physical access to the targeted device, is recommended for “factory fresh” devices.

The documents are dated 2008, 2009 and 2012, but WikiLeaks claims other Vault7 files show the CIA has continued to improve these tools. The organization also pointed out that the files show the intelligence agency has been “infecting the iPhone supply chain of its targets since at least 2008.”

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks said.

Impact of the tools and risks

The first Vault7 dump summarized the CIA’s alleged hacking capabilities, and appeared to show that the agency is capable of spying on or through a wide range of devices. While actual exploits have not been published, the information that was made public did not describe any sophisticated tools and many of the vulnerabilities had already been addressed.

In the case of the Dark Matter dump, the fact that the Apple implants require physical access to devices makes them less dangerous. Nicholas Weaver, a researcher at the International Computer Science Institute of the University of California, Berkeley, pointed out, “if somebody has physical access to your computer, you can’t call it yours anymore.”

As for WikiLeaks’ supply chain claims, Weaver and others believe the organization’s statement may be misleading.

“Installing onto ‘factory fresh’ is not about interdiction but targeted delivery: the CIA asset gives the target a phone or a MacBook, this is the general extent of the ‘supply chain’ the CIA is concerned with,” Weaver told SecurityWeek via email.

“Interdiction in the ‘supply chain’ works very well for things like routers, which are big, expensive, few in number, shipped from the US, and to known customers,” he explained. “For example, a Cisco router sent to Syria. Basically you have to know that ‘his package is being shipped from location I can control to known target’ in order to intercept and sabotage.”

Weaver continued, “It doesn’t work for something you can buy at a local store or which is drop-shipped from a local warehouse in the country where it’s going to be used from any of a gazillion different vendors. The CIA doesn’t have a fleet of agents in foreign post offices that can grab such a package. And you don’t mass-poison (say at the factory) this way, for THAT you would have to sabotage the machine that programs up all the iPhones in the first place.”

On the other hand, Weaver pointed out that the WikiLeaks files reveal some interesting information about the CIA’s human intelligence (HUMINT) capabilities.

“At least one tool was specifically because the asset could give the target a MacBook Air, indicating that the target was very trusted by the asset,” the expert said. “Likewise, the two tools together which allow one to reflash firmware even when the EFI password was set says that the CIA had a case where a paranoid target had his computer with a very low level password in the firmware, and the asset would have access to the computer for a short period of time and needed to reflash the computer.”

Related: Cisco Finds Zero-Day Vulnerability in 'Vault 7' Leak

Related: Apple, Google Say Users Protected Against CIA Exploits

Related: "Vault 7" Leak Shows CIA Learned From NSA Mistakes

Related: Industry Reactions to CIA Hacking Tools

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.