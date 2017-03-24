Society's Child
#Vault7: WikiLeaks releases 'Dark Matter' batch of CIA hacking tactics for Apple products - Update
RT
Thu, 23 Mar 2017 15:21 UTC
The release discloses the alleged details of methods employed by the CIA to compromise devices manufactured by Apple including the iPhone and Macbook Air.
In a statement from WikiLeaks, the whistleblower group said today's 'Dark Matter' leak includes details of the 'Sonic Screwdriver' project, described by the CIA as a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting."
Techniques named in the release detail methods that could allow devices to be compromised between the manufacturing line and the end user or by a CIA asset in close proximity to a target.
The leak came just prior to WikiLeaks latest press briefing which is scheduled to take place at 10am ET. The last Vault 7 press conference was cancelled after Julian Assange claimed their streaming services were being attacked.
The projects, developed by the CIA's Embedded Development Branch (EDB), attack Apple's firmware meaning that any infections are persistent regardless of efforts to remove them, including if the operating system is reinstalled.
WikiLeaks said this allows an attacker to boot its attack software from a USB stick on to a device even when a firmware password is enabled on the device, meaning the read-only memory of a device can be modified using 'Sonic Screwdriver'.
The infector is stored in the Apple Thunderbolt-to-Ethernet adapter, claim WikiLeaks.
Julian Assange is answering questions on the latest release at today's press conference.
The press conference comes two weeks after Assange said WikiLeaks will give tech companies exclusive access to leaked information they obtained from the CIA in the first part of 'Vault 7', known as 'Zero Days'.
Comment: The new WikiLeaks Vault 7 leak titled "Dark Matter" also claims that the CIA has been bugging "factory fresh" iPhones since at least 2008 and that the CIA has the capability to permanently bug iPhones, even if their operating systems are deleted or replaced. A summary of the documents has been released on the WikiLeaks website. It reads:
Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Among others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
"DarkSeaSkies" is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.
Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStake" are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.
Also included in this release is the manual for the CIA's "NightSkies 1.2" a "beacon/loader/implant tool" for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.
While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
