Skip to main content

WikiLeaks’ latest Vault 7 documents profile CIA’s exploits for Mac & iPhone

Update: Apple has issued on today’s WikiLeaks documents:

In their ongoing efforts of leaking government security documents, WikiLeaks has just dropped the latest in their Vault 7 collection. Titled “Dark Matter,” this release contains documents showcasing various projects undertaken by the CIA to infect Apple computer systems and iPhones. The Mac specific infections are considered a bit more serious to combat, considering they infect the EFI and persist even after re-installations.

The Sonic Screwdriver project, aptly titled after a Doctor Who gadget that opens just about anything, is nefarious in the way that it can easily infect other systems. The project can be launched from a USB stick, or even on an Apple Thunderbolt-to-Ethernet adapter with modified firmware.

According to what WikiLeaks shared, the documents state that the attack can happen even if the computer is locked down with a firmware password. This exploit sounds very similar to what Pedro Vilaca discovered mid-last year.

The other CIA exploit projects stem around remaining EFI-persistent after installation. EFI, or Extensible Firmware Interface, is Apple’s equivalent to the BIOS seen in PC systems. As it’s “baked-in” to each Mac, removing or clearing the EFI doesn’t occur when re-installing macOS from scratch. In the new “Dark Matter” release WikiLeaks shares that DarkSeaSkies specifically implants itself into the EFI on MacBook Air computers. They state it is a combination of the DarkMatter, SeaPea, and NightSkies tools that “implant” themselves into the EFI, kernel-space, and user-space respectively.

Potentially scarier in this release is the manual for the NightSkies tool made specifically for iPhone. NightSkies version 1.2 had been out since 2008 and according to WikiLeaks was specifically designed to be installed on “factory fresh iPhones.” This has led WikiLeaks to believe that “the CIA has been infecting the iPhone supply chain of its targets since at least 2008.”

In regards to that last comment, Will Strafach, security researcher, shared that WikiLeaks’ release today shows no indication that phones off the supply chain were being directly infected. According to Strafach, “The mention of ‘supply chain’ is misleading because it is not substantiated in the source documents. The terminology used was “factory fresh” which indicates it is just a new device, but does not mean there was any sort of infection at a factory. Further, other documents make it clear that this toolset is intended for use on a device that will be given to the target by the operator or asset.”

As with most of these leaks in the previous weeks, many of these releases dictate software vulnerabilities that no longer exist. Strafach took to Twitter to remind others that none of these vulnerabilites are new or should be of concern.

From the short WikiLeaks summary shared today, all of these vulnerabilities required physical access to the victim’s machines. The most recent security releases all seem to stem from years old vulnerabilities that Apple has already acknowledged as being fixed.

While these vulnerabilities may be patched and fixed on those on the most up-to-date software, it still begs the question what else exists that has yet to be disclosed.


Subscribe to 9to5Mac on YouTube for more videos

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel