From the early days of the iPhone, the CIA has had an interest in compromising the flagship Apple mobile device, according to the latest WikiLeaks release of CIA documents.
Today’s Vault 7 Dark Matter release shows an unsurprising interest from the intelligence agency in tracking iPhone users, as well as capabilities in developing implants and exploits targeting Mac firmware running on Macbooks.
The iPhone attack documentation for the CIA’s NightSkies tools describes a beacon dating back to 2008, purpose-built for factory iPhones, indicating the CIA’s ability to interdict the Apple supply chain and install this tool.
“Intelligence agencies used to put these beacons in someone’s car and track its radio signals. Modern beacons infest iPhones and report over the internet the location of an iPhone and other information from the phone,” said WikiLeaks founder, exiled publisher Julian Assange, during a press conference aired over the WikiLeaks Periscope account.
“Noteworthy is that NightSkies reached version 1.2 in 2008, indicating that it was in the process of being developed for some time,” Assange said. “It is expressly designed be physically installed on factory-fresh iPhones, not phones that are stolen and then have the malware implanted, but in an iPhone before you get it.”
A request for comment from Apple was not returned in time for publication.
Assange said the CIA’s Embedded Development Branch (EDB) is responsible for developing these tools, and the group’s documentation shows the agency’s interest in not only targeting iPhones and Macbooks, but also maintaining a persistent presence on those devices that would survive a reinstallation of the Apple operating system.
The release comes two weeks after the first Vault 7 release on March 7. The initial batch of documents were dated between 2013 and 2016 and included documentation on compromises for all the major modern browsers, smartphones, Windows, macOS and Linux computers and smart televisions. Cisco was the first vendor last Friday to warn its customers about a vulnerability affecting more than 300 of its routers and switches. The company still has not patched the flaws.
Today’s dump of CIA documents shows how the agency concentrated on developing malware and exploits that would attack the firmware running on Macs and iPhones, specifically EFI and UEFI firmware.
The Sonic Screwdriver project, for example, is an exploit that targets peripherals and executes as a Mac boots up, bypassing the protection afforded by an Apple Firmware Password, which prevents alterations of the boot path.
“The code for the Sonic Screwdriver is stored on the firmware of an Apple Thunderbolt-to-Ethernet adapter,” the documentation states. “The implant code will scan all internal and external media for a device with a specific volume name.” Once the volume is found on a USB, CD or hard drive, it will execute a UEFI boot of that device.
The documentation also describes an implant called DarkSeaSkies, an EFI implant for Macbook Air laptops that includes the DarkMatter EFI implant, a kernel-space implant called SeaPea, and the NightSkies beacon/implant.
Another manual describing an implant called Triton for MacOS X machines and an EFI-persistent implant called DerStarke were also part of today’s dump. DerStarke dates back to 2013, but Assange said that the CIA continued to update these tools through last year and has begun work on version 2.0.
Assange said that WikiLeaks reached out to the technology vendors impacted in the first Vault 7 dump, contacting on March 12 Google, Apple, Microsoft, Mozilla and others. Assange said Cisco was proactive in reaching out to WikiLeaks for information, and that no exploits were shared with Cisco, but that the description in the March 7 dump was enough for Cisco to work out the issue.
Mozilla, meanwhile, responded on March 12 and Assange said it agreed to WikiLeaks’ disclosure terms which match industry standards that include a 90-day disclosure deadline, and secure points of contact that include encryption keys.
MikroTik, a manufacturer of VoIP controllers targeted by the CIA replied similarly on March 15, but Google and Microsoft, which both replied March 20, pointed WikiLeaks instead to their respective disclosure terms, Assange said.