WikiLeaks Reveal CIA Capabilities to Break into Apple Products

Written by

New revelations from WikiLeaks has shown capabilities to break into Apple products.

Among the new cache are revelations on the CIA spying programs and capabilities to infect Apple Mac Computer firmware. The new documents, named "Dark Matter", explain the techniques used by the CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among these are the "Sonic Screwdriver" project, which is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting", while "DarkSeaSkies" is an implant that persists in the EFI firmware of an Apple MacBook Air computer’ and consists of DarkMatter, "SeaPea" and "NightSkies" - respectively EFI, kernel-space and user-space implants.

The concept of Sonic Screwdriver, which follows the Doctor Who naming theme of "Weeping Angel" from the first release on 7 March, allows an attacker to execute code on peripheral devices while a Mac device is booting, even when a firmware password is enabled. “The CIA's Sonic Screwdriver infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter” the leaked document said.

Elsewhere, there are documents on "NightSkies 1.2", a "beacon/loader/implant tool" for the Apple iPhone, the "Triton" MacOSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStake". The DerStake1.4 manual dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

“While CIA assets are sometimes used to physically infect systems in the custody of a target, it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks’ release said.

The documents are mostly from last decade, except a couple that are dated 2012 and 2013, claimed Motherboard.

The previous Vault7 release detailed how the CIA could break into smartphones, computers and other connected devices, including smart TVs. WikiLeaks later announced plans to work with affected manufacturers to help them push out fixes, but according to Motherboard, Julian Assange sent an email to companies mentioned in the documents asking them to sign off on a series of conditions before being able to receive the technical details to deploy patches.

In an email to Infosecurity, F-Secure security advisor Sean Sullivan said that he suspected that law enforcement agencies were targeting phones more than 10 years ago, so no doubt intelligence agencies did as well. "In presentations I've often been asked about iPhone security and the answer was always 'it's safe from crimeware, but it can be hacked'. All you needed for evidence was to look at the latest jailbreak.

"Given that the CIA does HUMINT, I think that the CIA was seeking a persistent backdoor (Mac & iOS). Given the underlining design of the OSs, it shouldn't have been difficult to develop. With physical access to the device, many things are possible."

Paul Calatayud, CTO of FireMon, said: “The validity of the dumps from my 18 years of experience in cyber, including eight years within the army cyber teams, would lead me to state these claims have basis and are worth taking real consideration over. The tools are very noteworthy yet to be expected if you understand the space.

"We have seen issues with suppliers and manufacturers in the computer world installing or not being aware of rootkits and low level firmware key loggers being installed, examples being Lenovo. The question moves away from technology capability towards intent and success. This is where I would disagree with others. I suspect this program was able to weaponize malware at low levels of Apple phones. I disagree that the program had large scale reach or that they were able to distribute it with Apple support or with any success. In other words, just because the malware was designed, does not mean it is present in all phones.

"Looking at the fight between the FBI and Apple over backdoor and encryption further leads me to believe these capabilities and the malware is not readily deployed in the wild. I suspect there was far greater success of surveillance programs within the wireless networks vs. what's on the device. Just think, what data that lives on your phone is not somehow being transmitted over wireless protocols and internet services; text messages, phone calls, email messages, etc.”

What’s hot on Infosecurity Magazine?