WikiLeaks’ Dark Matter documents reveal CIA hacks for Macs and iPhones

Share this…

It’s only a couple of weeks since WikiLeaks unleashed the first batch of its Vault 7 CIA documents, revealing the agency’s spying and hacking capabilities. Now the organization has released a second cache of files dubbed Dark Matter, and they show that the CIA has developed tools for hacking Apple products.

Bold and exciting names like Sonic Screwdriver, DerStarke, Triton and DarkSeaSkies are the monikers given to attack the firmware of MacBooks and iPhones. What’s particularly interesting about the documents is that they appear to show that the CIA had the ability to exploit Apple hardware and software a full decade ago.

Not all of the hacks revealed in Dark Matter are quite so old, however. The user guide for Sonic Screwdriver, for instance, was updated as recently as November 2012. It shows how a Thunderbolt or USB port can be used to infect and access a MacBook Pro or MacBook Air, right up to mid-2012 models. While this is an attack that would require physical access to a machine, it would also be very easy to fool a user into infecting their own computer — or even several computers.

Introducing the latest — and smaller — batch of documents, WikiLeaks says:

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

This last allegation is interesting. Having seemingly developed the ability to infect iPhones at factory level, did the CIA ever implement such a project?

Apple has said that it fixed “many of the issues” exposed in the first data dump from WikiLeaks, but it’s not clear how many of these latest revelations have also been addressed.