Today, WikiLeaks continues to leak more information in what they call their “Vault 7” series which covers CIA-related programs that were built to breach into Mac computers. Today’s leak goes beyond iOS devices into more complex hardware such as Macs.
The leakers claim that the CIA has Mac-related vulnerabilities that “persists even if the operating system is re-installed.” The exploit in question, dubbed “Sonic Screwdriver” is able to deploy code from a peripheral device such as a USB stick or a “screwdriver” while a Mac is booting up.
WikiLeaks claims that an attacker is able “to boot its attack software” even if the Mac requires a password to login. It says that the CIA’s Sonic Screwdriver has been stored safely on a modified firmware version of an Apple Thunderbolt-to-Ethernet adapter. Beyond this, the new leak points to more CIA programs aimed at gathering data, infesting, or even crippling a Mac device.
“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.
Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.
The exploits aren’t exclusive to Mac hardware, however, and includes a few exploits regarding the iPhone as well.
One exploit is described as a “beacon/loader/implant tool” for an iPhone, and is designed to be physically installed on an iPhone directly within its manufacturing facility. The exploit dates back to 2008, and suggests that “the CIA has been infecting the iPhone supply chain of its targets since at least 2008.”
While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.