FacebookTwitterLinkedIn

Wikileaks Second Publication Reveals CIA Can Hack iPhone and Mac Firmware

Karolis Liucveikis Written by on

Wikileaks still has not published all of the source code of the CIA zero-day defects that they mentioned a few weeks ago. This is while Julian Assange negotiates with affected hardware and software vendors when to give them this code so they can fix these security weaknesses before Wikileaks publishes all of that. There is some pushback from the vendors who worry about the legal implications of using stolen classified material themselves and some unknown conditions insisted upon by Mr Assange.

Now WikiLeaks has published the second batch of Vaul 7 documents, which they call “Dark Matter.” These detail how the CIA has been hacking iPhones and Macs.

There is not much danger that hackers are going to be able to replicate what the CIA has done as they are using old fashioned spycraft. The CIA has managed to plug itself into the Apple supply chain to physically get their hands on these Apple devices and modify their firmware so that the CIA can use them to spy on their targets. This means they either have someone working with them in the chip manufacturing and distribution process or are attacking these devices in the mails as they are shipped to customers.

On the Mac, the attack is against EFI/UEFI. This is also called bios. This is the hardware part of the boot up process that loads before OS X loads. Even if a Mac user suspects that their device has been infected, if they wipe the device or upgrade the OS they cannot eliminate the firmware, because it is built into the CPU.  That is the same for the iPhone.

Unlike the first publication of CIA documents, this time we have complete instruction manuals for the Sonic Screwdriver, DerStarke, Triton, and DarkSeaSkies exploits published online, as web pages and PDFs.

Sonic Screwdriver

Here we look at one of the CIA tools, Sonic Screwdriver.

This implant is added to an Apple Thunderbolt to Gigabit Ethernet Adapter that works with 10/100/1000BASE-T networks. This provides an RJ45 (LAN cable) plugin that would not fit on the ultra slim MacBook Pro, because it is too wide. It also lets a user connect to a gigabit (1,000 mbps) network, which is data center type speed that most people would not even need and which a regular ethernet adaptor would not support.

The infected adaptor lets a CIA spy plug that in then boot the Mac even when the Mac owner has put a password on the firmware. The user does not know the have been attacked because the adapter continues to work afterwards. It uses a commercial Broadcom flash utility to update the Mac, something the Broadcom people are not going to appreciate.

cia can hack iphone and mac firmware

The adaptor flashes the firm (meaning replace it with new code) and disables the factory reset option (which would undo all of that). The device works with MacBooks built from 2011 to 2012. Given how expensive there are there are plenty of those still in use.

To load the firmware the user has to burn the UNCLASS_SonicScrewdriverInstall.iso to a CD. Then they connect both an external CD driver and the Thunderbolt. The spy types one command and wait 1 to 2 minutes.

Then the user can install the Der Starke tool to spy on the user. It is designed to bypass Little Snitch, which is the Mac OS X firewall and network monitor. Der Stark works with another CIA tool called Triton as well. Der Stark works on MacBooks built between 2010 and 2013 and Mac OS X 10.7 (Lion) and Mac OS x 10.7 (Mountain Lion), both of which are equally old.

What Triton and Der Stark do is make HTTP GET requests to download additional files from the CIA. It also installs an Apache web server, so that the CIA can communicate with it. It collects data from the Mac, compresses it, and uploads it back to the CIA command and control center. The user can configure how often the device is supposed to beacon (connect to) the CIA. After it cannot connect work 4 times, it will uninstall itself.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog