Vault 7 revelations are back via WikiLeaks, and it seems that iPhones are the center of attention this time as documents reveal that the CIA has been infecting macOS firmware and “factory fresh” iPhones for years.
If the first time around we saw a trove of documents regarding all types of exploitations the CIA can make use of, this time we’re focusing on Macs and iPhones.
For instance, the “Dark Matter” documents discuss one project called “Sonic Screwdriver.” Created by the CIA’s Embedded Development Branch, the Screwdriver is a mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting.
In short, an attacker could install malicious software on your device via a USB stick, even if a firmware password is required. The infector for this particular tool is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
Then, another project is “DarkSeaSkies” which is an implant that persists in the EFI firmware of an Apple MacBook Air computer, along with Triton macOS malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake.”
Documents in the hands of WikiLeaks include the 2013 DesStake 1.4 manual, but other documents show that as of 2016, the CIA continues to rely on and update these systems and is working on a second DerStarke version.
Infecting the iPhone supply chain
Another one of the CIA’s tools targets iPhones. By using a “beacon/loader/implanter tool” called NightSkies, factory-fresh iPhones can become infested. WikiLeaks states that documents in its hold indicate NightSkies had reached version 1.2 by 2008 and was expressly designed to be physically installed onto fresh iPhones alone, which, they claim shows the CIA had been infecting the iPhone supply chain ever since.
“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks writes.
Apple has yet to address the new leaks. During the previous round of documents revealed a little over two weeks ago, several tools were shown to target iPhones and Macs. Then, Apple said that the technology built into today’s iPhone is the “best security available to customers” and that it had already fixed many of the vulnerabilities exploited by the CIA, as per the WikiLeaks document dump.