Vault7 Dark Matter batch – CIA has been targeting the iPhone supply chain since at least 2008

Wikileaks released the second batch of CIA’s Vault 7 dump, it contains other precious documents to understand the way CIA was hacking systems worldwide.

The Wikileaks Vault 7 dump will make for a long time the headlines, the organization has just released another lot of classified documents related the hacking tools and techniques and exploit codes used by the CIA cyber spies to hack Apple MacBook and iOS devices.

Wikileaks dubbed this batch of information as ‘Dark Matter,’ it includes five documents on Mac and iPhone hacks developed by the CIA.

This is the second bash of Vault 7 released by WikiLeaks after the whistleblower organization released the first one on March 7.

The hacking tools and techniques were devised by CIA unit, called Embedded Development Branch (EDB).

“Today, March 23rd 2017, WikiLeaks releases Vault 7 ‘Dark Matter’, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” reads the Dark Matter description provided by Wikileaks.

The CIA experts have found a way to infect Apple firmware to gain persistence, in this way the attackers were able to maintain the infection on Mac OS and iOS devices even if the operating system has been re-installed.

According to WikiLeaks, one of the most interesting documents is related to the “Sonic Screwdriver” project, which is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting”allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”.

The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),“even when a firmware password is enabled” on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.

Digging in the Dark Matter dump we can find the NightSkies 1.2 hacking tool, which is described as a “beacon/loader/implant tool” for the Apple iPhone.

“Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.” continues Wikileaks.

This hacking tool has expressly been designed by the CIA hackers to infect “factory fresh” iPhones, likely during transport. The existence of the tool suggests that the Central Intelligence Agency has been targeting the iPhone supply chain since at least 2008.

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” says WikiLeaks.

“DarkSeaSkies” is another implant described in the Dark Matter repository. It is described as “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Wikileaks plans to release more interesting information about the CIA cyber capabilities and hacking techniques.

Stay Tuned …

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dark Matter, CIA)

[adrotate banner=”13″]