Wikileaks has released their latest Vault 7 data dump, and the new documents are shining a light on how the CIA can hack Apple devices before they even end up in the hands of consumers. The sad reality is, most Apple users already suspected this type of activity was taking place, but the new information shows us just how it works.
“Dark Matter,” which is the title of the most recent leak, claims that not only has the CIA hacked iPhones, they’ve been doing so since at least 2008, one year after the product was introduced to the market. Wikileaks posted the following statement on their website:
~Today, March 23rd, 2017, WikiLeaks releases Vault 7 “Dark Matter,” which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by the CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones, and demonstrate their use of EFI/UEFI and firmware malware. Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software, for example, from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
~Also included in this release is the manual for the CIA’s “NightSkies 1.2” [which is] a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones, i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.
NightSkies, according to Wikileaks, was actually operational in 2007, the year that Apple launched the iPhone. In a document describing the NightSkies malware for an iPhone 3G running iOS 2.1, which was the second series release for the phone, the CIA stated that they granted the agency full control over an infected device: “The tool operates in the background providing upload, download and execution capability on the device. NS is installed via physical access to the device and will wait for user activity before beaconing. When user activity is detected, NS will attempt to beacon to a preconfigured LP [listening post] to retrieve tasking, execute the instructions, and reply with the responses in one session.” So basically, as soon as a user activates their phone, it would send a signal to the CIA, giving them access to everywhere you go, everything you say, and everything you do. Considering that over 100 million iPhones are in use in the United States alone, that is a lot of access for the agency to have.
MacBooks were also listed as a primary target for the CIA. This time they used an implant called “DarkSeaSkies.” According to the Wikileaks statement:
~”DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter,” “SeaPea” and “NightSkies,” respectively, EFI, kernel-space and user-space implants.
~Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016, the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.
Documents also allegedly show that the CIA Embedded Development Branch has been hacking Macs since as far back as 2005. While NightSkies ran on Mac OS X 10.5.2 and above, another rootkit called SeaPea was running on Mac OS X Tiger 10.4, launched 12 years ago. In detailing how a combination of tools, including NightSkies, would work on a Mac, the CIA wrote that it would act as “a beacon/implant that runs in the background of a MacBook Air that provides us with command and control capabilities. The implant will beacon periodically.” Once the MacBook had been compromised following a physical installation, the CIA could access it whenever they wanted.
Another spy weapon launched by the CIA on Macs was The Sonic Screwdriver Project, carried out in 2012. It would run on the firmware of an Apple Thunderbolt to Ethernet adapter and install low-level malware on the Mac from there. It is named after a tool used on the television program “Doctor Who” that opens just about anything. In the same sense, this nefarious project would easily infect other systems, thus opening the door for the CIA to access them as well.
Wikileaks is said to be in touch with not only Apple currently, but Google, Microsoft, and other tech companies as well about the leaks. The reason behind this move is so that patches can be created and released to protect users from this type of invasion. Before handing over information, however, Wikileaks has issued a list of demands including promises to fix bugs that allow the spying within 90 days. So far, none of the companies have responded.
A spokesperson for the CIA would not comment on the authenticity of the documents, but did provide a brief and insulting statement, vilifying the Wikileaks release: “The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations but also equip our adversaries with tools and information to do us harm.”
It is still unsettling to hear that companies are using our privacy as currency with government agencies. Apple, unfortunately, is not the only company engaged in this type of behavior. Time will surely tell just how Microsoft, Amazon and dozens of other tech companies are making closed doors deals with Big Brother.