New WikiLeaks Vault 7 ‘Dark Matter’ leak claims CIA bugs ‘factory fresh’ iPhones, infects Mac firmware

A new WikiLeaks Vault 7 leak, “Dark Matter,” claims that the United States of America’s Central Intelligence Agency has been bugging “factory fresh” iPhones since at least 2008.

The WikiLeaks website states, verbatim:


Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008. [Bold emphasis added – MDN Ed.]

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

https://twitter.com/wikileaks/status/844932796250509312

MacDailyNews Take: Yikes!

Note that, as with the iPhone (at the “factory level,” “shipping interdiction,” or otherwise), the Mac exploits seem to require physical access to the Mac.

32 Comments

    1. This is ALL old news. The same data were released by Edward Snowden three years ago and the iPhone project is basically the same as the NSA one he showed. It requires physical access to the iPhone. This time the data is about a exploit dated 2008 and works on iPhones of that vintage. NOTHING is certain that it works on Apple’s modern devices.

      Last year Apple closed the vulnerability that allowed modification of the firmware by external devices on the USB and Thunderbolt buses. That train has already left the station on up-to-date Macs. The commands to do so are even locked out at the Terminal level and require keyboard authentication. or another password, even for Superusers now, IIRC.

      1. Ah, but it is so much fun to run around screaming that the sky is falling. This sort of story fosters the myth that Apple devices are just as vulnerable to exploitation as Windows and Android. Yes, they can be exploited, but (absent dumb-user cooperation) it requires more effort than it is usually worth.

        1. The old newspaper adage was “If it bleeds, it leads!”

          Now, it’s “If it leaks, it leads! Especially if we can put ‘Apple’ in the lede!”

          I’ve been looking at what was coming out on this and from what I can see, all of the claims are about old vulnerabilities for older devices or older OSes that have been long closed. I’ve seen nothing new or surprising. I’ve seen nothing that smacks of a remote exploit at all. Now that would be startling, alarming, and REAL NEWS!

    1. The same country that stole Hawaii, Navajo Nation, and parts of Mexico from their original owners. I’d agree with you, but since you’re so hostile towards the native peoples of this continent I’m not so sure I could respect you.

      1. Why not go all the back to the “take over” of the Iroquois Nation?

        As I pointed out yesterday, your statements don’t hold up when compared to historical facts. Just in this post the “parts of Mexico from their original owners”. You’ve obviously never heard of the Gadsden Purchase or any of the myriad details that went into that — or, in your trolling, have just chosen to ignore those facts.

        So, as far as respect goes, *no one* on this site should have *any* respect for you as long as you continue in your blatant trolling mode.

      2. Heir to the throne…..

        Please tell me one country, territory or land mass on the planet (except possibly the north/south pole) that hasn’t changed rulers, leaders or governments since the dawn of time? The strongest and most developed overtake, conquer or in some cases pay or negotiate territories.

        Get over it already. Stole Hawaii….get real.

      3. Heir,
        You know more about Hawai’i than I do, but my impression is that the undoubted theft of the islands from their native population was less the work of the U.S. Government than of white Hawaiian residents who were eligible to vote in national elections.

        As for Mexico: By 1836, the majority of Texas residents, Hispanic as well as Anglo, supported independence as the only viable means of escape after the dictator Santa Anna overthrew the 1824 Mexican Constitution. By 1848, Anglo settlers in the mostly empty territory handed over by the Treaty of Guadelupe Hidalgo probably outnumbered those who were loyal to Mexico. (Native populations had been decimated by disease.) The Gadsden Purchase was a straightforward commercial transaction.

        If you think Americans stole the land from Mexico, what about the Mexicans who stole it from Spain, the Spanish who stole it from the Comanches, the Comanches who stole it from the Lipan Apaches, the Apaches who stole it from the Tonkawas, and so on back into prehistory? Even in Europe, the current populations displaced earlier peoples all the way back to the Neanderthals.

        There are some tangled webs that don’t bear untangling.

      4. I’m hostile towards you, and I don’t know or care if you are white, yellow, black, striped or polka dot.
        But by all means unleash your racist hatred and vitriol my way, that way others won’t be affected by your racist hatred.

      1. That’s OK, the free and civilized world has had to endure the whine of whaaaaa Iraq has a weapons of mass destruction program and whaaaaa someone has been wire tapping my chump towers, my precious chump tower.

        So those that dish it out should be able to take it.

  1. I’m skeptical that this has happened . . . simply requires too much conspiratorial stretches of the imagination for me when it comes to “factory fresh” devices. That doesn’t mean I’m not paying attention to it — or that I don’t assume that essentially everything I do on an Internet connected device might be subject to theft. I’m just saying that a multitude of companies and people would have to be involved to accomplish assembly-line infection and I don’t think it could be kept a secret for this many years.

    1. You can do unbelievably nefarious things with Macs and iOS devices if you can get extended periods of time (hours or even days) physical access to the device. That’s just reality.

      The extreme is to open up the device, de-lid the components and do SEM reading or the equivalent of ECM montoring of the electronics inside. These efforts effectively are restricted to just State Actors because of the expenses.

      However, there are lots of less nasty things that can be used in most cases.

      Now if Assange and his scum friends are claiming full access wirelessly and full take over wirelessly, you have plenty of reasons to believe that these claims are mostly, if not entirely, bogus.

      1. Well, that’s the trick, getting physical access. It’s doubtful that the CIA could get into the Shenzhen factory (I’d think the Chinese spies would have a better chance). There’s the truck transportation to the airport. And then the jet itself. Not sure what carrier Apple uses, maybe DHL, but the CIA could have an operative within the company that could get into the cargo, open up the several layers of tamper resistant boxes and physically alter a unit that they have identified as going to a person of interest. Then the operative would have to close up the packaging in a way that shows no signs of tampering. OK, maybe doing it on the airplane is too difficult. US ground transport could be intercepted instead. Fewer boxes to get into. Fun to think about – it’s like writing a spy novel.

  2. This is complete nonsense. Wikileaks is an agent of the Russian government, and only 30% of their documents on average are legitimate. There is no possible way that the CIA infects factory fresh iPhones. The Chinese cooperate with this? Bullshit. Apple doesn’t know? Bullshit. Wikileaks doesn’t have any credibility until they start releasing Russian intelligence information. Total nonsense.

    1. Please list the inaccurate documents that Wikileaks has released. I will allow that these are OLD NEWS. The data here is from 2008, but it is accurate as far as it goes.

      So far, Wikileaks data has been found to be true.

      So, what to your knowledge is false. Facts please.

      1. Please read the booK “the plot to hack America” by Malcom Nance. Cited you will see the House and Senate intelligence reports of Wikileaks that state 30%- ⅓ of their documents are fraudulent. Now do they go through them to release what they can prove or selectively edit things that can’t be disproven? Yes. But over all their documents are not 100% correct. It’s closer to 70%. Also, instead of deflecting my answer why not answer why they seem to never release any Russian information? It’s not because they aren’t doing bad things… think about it for more than a minute. When Wikileaks statrs attacking the Russians the same way the attack the US and Britain, I will believe what they say and that they have a real mission. Assange as far as I’m concerned is an anarchist and a rapist, as well as an enemy of the west. If you’re wanted for rape by the Swedes then it must be pretty bad, and he has never released anything damaging about the Russians. He is also the person who encouraged, and coordinated Edward Snowden taking refuge in Russia.

        1. The rape is very questionable. Even the girl involved now says it was consensual sex while they were both drunk. She had second thoughts a week later and a girl friend convinced her to report it as a rape. Now the authorities refuse to drop the rape case.

          I’ve heard, but not read about those cases that the book claims are false, but there is no proof they are false. It is written from a bias viewpoint to make political points, not factual. It declares all of the DNC hack reports as false. . . and the work of the Russians but there is zero evidence of that. None, Zip, nada. The book is propaganda written by a democrat hack intended to prop up the Clinton party line that Wikileaks is working with the Trump campaign. It lacks evidence to back any of those claims. It begs the question from the start, assuming from the start that Putin is behind Assange.

          1. Before commenting on the book, you should read it. Do not accept someone’s opinion on the book until you havebealuated it for yourself. And the intelligence committee reports are presented there in their entirety. The fact that you’re still deflecting and defending the Russians is incredibly telling. The girl in Sweden by the way has NOT said it was consentual, and even if it was she was under the consent age which means it’s statutory. Mr Nance is not a hack in any stretch of the imagination, he has worked for the NSA for 30 years in 6 different administrations. And every intelligence agency agrees with his analysis. And there is ample evidence that Wikileaks operates as part of the Russian FSB. It’s in the intelligence reports , even the declassified ones. You’re either deluded, beyond the point of critical reasoning, or a paid troll to spout this nonsense. You’ve asked for my proof and I’ve provided it… prove your side instead of just providing conjecture and opinion, which wouldn’t fly against me in any court.

  3. The only “factory fresh” iPhones mentioned here were manufactured in 2008. I quote: “. . .the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008. . .”

    Edward Snowden had released a similar document from the NSA papers that outlined software that would do essentially the same thing to an iPhone that also required physical access to compromise it before delivery to the target individual or organization. That was from October 2007.

    There is nothing in this document that shows they have a way of modifying a modern iPhone 7, or even one made after the Secure Element was added to the iPhone design. Apple of 2008’s iPhone essentially had zero protection from attacks like this. Now, that’s not the case.

  4. A lot of this smells like BS. While it is expected that clandestine spy activity would have some man in the middle activity for targeted foreigners, this complete focus on Apple products seems unbelievable.

    The other take away. Anyone worth spying on, only buy Apple products.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.