WikiLeaks releases new CIA documents describing Mac exploits

WikiLeaks just shared a few new documents as part of the CIA Vault 7 data dump. These documents describe hacking methods allegedly used by the agency to access Apple devices and upload data. Most of today’s exploits are related to the Mac platform. It’s interesting to see the CIA’s old hacking techniques. It’s unclear if some of them still work today.

Update: Apple has provided a statement saying that all these exploits have been fixed for at least a few years already. Here’s the full statement.

Sonic Screwdriver v1.0

This 2012 hack is quite neat as it uses a peripheral device to infect your Mac. In particular, the CIA was installing the malware on Thunderbolt-to-Ethernet adaptors.

After the CIA had flashed the dongle, it was quite easy to execute. By powering on the Mac, the code would automatically execute on the accessory and infect the firmware with something like Der Starke (see below).

It’s a silent attack and it would fool anyone. The accessory remains infected so you could end up attacking multiple Macs with the same device.

Does this sound familiar? Because when I read this, I instantly remembered Thunderstrike 2. Xeno Kovah and Trammell Hudson described the exact same exploit at Black Hat in 2015, three years after the CIA’s document.

Apple has fixed the exploit around the same time, so you should be fine.

Key lessons:

  • Always update to the latest version of macOS to get the most recent security fixes
  • Don’t buy a Thunderbolt accessory on eBay

Triton v1.3 & Der Starke v1.4

Triton is quite a powerful malware. Once installed, the CIA can get files and folders from your computer. The CIA can install it from anywhere as long as they can mount your hard drive to their /Volumes folder. If that sounds scary, Der Starke is another beast altogether.

Der Starke v1.4 released in 2013 was working perfectly fine on Macs released in 2013 running OS X 10.7. It’s more or less the same thing as Triton, but much more sneaky.

First, it’s a diskless malware, meaning that you won’t be able to find it on your hard drive. Der Starke infects your Mac firmware and works well with the Sonic Screwdriver exploit for instance — when you combine multiple exploits, you can do dangerous things. You can also install it from a USB thumb drive or hard drive.

Like Triton, the CIA can get data from your computer, but it remains as silent as possible. When it uploads data, it mimics a browser process so that it looks like you’re just uploading a photo to Facebook. Apps like Little Snitch can’t even detect it.

It’s unclear if Triton and Der Starke still work today. I’ve reached out to Apple and will update this post when the company gets back to me.

Key lesson:

DarkSeaSkies v1.0

This is quite an old exploit as it was built to target the original MacBook Air and OS X 10.5. Just like Der Starke, DarkSeaSkies would infect your firmware in order to upload data from your computer. DarkSeaSkies is the generic name to describe three different malwares with funny names — “DarkMatter,” “SeaPea” and “NightSkies.”

DarkMatter was the firmware malware that installed the other two tools on the hard drive.

SeaPea was responsible of hiding all files, processes and network events from the user.

NightSkies let the CIA remotely run commands on your Mac and get data from your computer.

It sounds like Der Starke, but less elaborate. I think the CIA probably abandoned those tools in favor of Der Starke and Triton.

NightSkies v1.2

There’s one exploit in particular that is about the iPhone. The CIA released an iPhone version of NightSkies v1.2 in December 2008 to get as much data as possible from your phone. Let’s just say that this hack is quite ancient. It’s quite funny to parse the CIA’s document about it. It says that the hack works with iOS 2.1 and the iPhone 3G.

It was quite powerful as NightSkies could access your address book, SMS conversations and call logs in order to upload it to the CIA’s servers. The agency could also execute commands on the iPhone remotely to install new tools and more.

The installation method also looks ancient as you had to use iTunes and plug the iPhone to a computer. The CIA created infected IPSW firmware files to flash the iPhone with this custom version of iOS.

So if you downloaded new versions of iOS on The Pirate Bay back in 2008 and were all about jailbreaking your phone, maybe you installed this malware on your good old iPhone 3G.

Apple has considerably increased the security of iOS. IPSW firmware files are now signed by Apple through their servers, so it’s technically impossible to install old vulnerable versions of iOS using iTunes. Moreover, you need to type your passcode to update the operating system. If you don’t know the passcode, there’s no way to flash the firmware.

Key lessons:

  • Always update to the latest version of iOS to get the most recent security fixes
  • Use a strong passcode (at least six numbers or, even better, an alphanumeric password)
  • Update your iPhone over the air by going to the Settings app on your phone so you don’t have to use iTunes
  • Keep your phone with you so you’re sure nobody is installing a custom firmware behind your back