The IT Nerd

Today, Wikileaks has released “Dark Matter” which is the second information dump meant to highlight the hacking techniques of the CIA. This dump will be of particular interest to Mac users as the documents dumped today claim that the CIA has tools to break into MacBooks and will also survive OS reinstalls. Which implies that they’re firmware based:

Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

This sounds like an offshoot of the Thunderstrike 2 exploit from a couple of years ago. If so, it should have been patched in OS X 10.10.2. But we’ll have to wait for details to see if that’s true or not.

The other thing that that’s in this info dump is this tidbit that will be of interest to iPhone users:

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

This sounds far fetched. Except that it isn’t. Upon reading this, I remembered an Ars Technica article that spoke about this exact scenario. In that case the intelligence agency was the NSA and they were loading software that sounds a lot like what’s being described here onto Cisco gear. Thus it makes what’s being described here plausible.

Expect Apple to come out with a statement on this shortly as this for sure will get their attention and generate a lot of questions that they’ll have to answer.

This entry was posted on March 23, 2017 at 10:20 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.