In its latest release, as promised, WikiLeaks takes a look at how the CIA has invited itself into our personal lives through popular electronic devices, this time, looking at Apple products including the Mac line of desktop and laptop computers and the ubiquitous iPhone.
The Vault 7 “DarkMatter” documentation looks at CIA projects that infect Apple’s Mac product line at the firmware level, basically meaning that the infection persists even if the owner of the computer reloads the operating system. The documents explain the process and techniques that members of the CIA’s Embedded Development Branch use to ensure that the CIA’s “fun and games malware” are persistent.
There are several CIA – Apple-related projects included in this release:
1.) Sonic Screwdriver – a mechanism used to execute code on peripheral devices while a Mac desktop or laptop computer is booting. This allows an attacker to boot its attack software from a USB stick or DVD/CD/external hard drive. The software allows the user to alter the boot path of the computer, bypassing the Apple Firmware Password. Here is the key section from the Sonic Screwdriver User’s Guide dated November 29, 2012:
2.) DarkSeaSkies – an implant that persists in the UEFI (Extensible Firmware Interface) of an Apple MacBook Air laptop. This required the CIA asset or operator to have one-time physical access to the target system with the malware being installed from a bootable flash drive. DarkSeaSkies was not persistent; it would be overwritten in the event of a firmware update. Here is the key section from the DarkSeaSkies 1.0 User Manual dated January 26, 2009:
3.) Triton/Dark Mallet/Der Starke – persistent MacOSX malware that is installed using a USB stick as shown here:
4.) Nightskies 1.2 – a tool designed to be physically installed on factory fresh iPhones. It then waits for user activity before it beacons. Apparently, the CIA had been infecting the iPhone supply chain since at least 2008 with the first version being designed for the iPhone 3G OS version 2.1. User activity is detected by monitoring directories on the phone including browser histories, the YouTube video, map files cache and mail files metadata. Nightskies can retrieve the user’s address book, SMS text messages, mail files and call logs. The software is designed to self-upgrade. Here is the key section from the Nightskies User Manual dated December 2008:
potentially, hundreds of millions of Apple consumers can thank the Central Intelligence Agency for taking away even more of what little privacy they had left in the post-9/11 world.
Click HERE to read more.