WikiLeaks Continues 'Vault 7' With New Documents Detailing Mac-Related CIA Exploits

[MacRumors]

WikiLeaks today continued its "Vault 7" series by leaking details concerning CIA-related programs that were built with the intent to infect iMac and MacBook devices. Today's "Dark Matter" installation of Vault 7 follows a few weeks after WikiLeaks debuted "Year Zero," which focused on exploits that the CIA created for iOS devices. In a response the same day that Year Zero came out, Apple said that many of the vulnerabilities in the leak were already patched.

Now, WikiLeaks is shedding light on Mac-related vulnerabilities and exploits, which the leakers claim "persists even if the operating system is re-installed." The project in question, created and spearheaded by the CIA's Embedded Development Branch, is called the "Sonic Screwdriver" and represents a mechanism that can deploy code from a peripheral device -- a USB stick, or the "screwdriver" -- while a Mac is booting up.

According to WikiLeaks, this allows an attacker "to boot its attack software" even if the Mac has a password enabled on sign-up. In the report, it's said that the CIA's own Sonic Screwdriver has been stored safely on a modified firmware version of an Apple Thunderbolt-to-Ethernet adapter. Besides the Doctor Who-referencing exploit, Dark Matter points towards yet another bounty of CIA programs aimed at gathering information, infecting, or somehow crippling a Mac device.

"DarkSeaSkies" is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.

Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStake" are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Dark Matter isn't exclusively Mac focused, however, and includes a few new iPhone exploits in the round-up as well. One is called "NightSkies 1.2" and is described as a "beacon/loader/implant tool" for the iPhone that is designed to be physically installed on an iPhone directly within its manufacturing facility. This conspiracy-leaning exploit is said to date back to 2008 -- one year after the first iPhone debuted -- and suggests, according to WikiLeaks, that "the CIA has been infecting the iPhone supply chain of its targets since at least 2008."

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization's supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

The full list of the new Dark Matter documents can be found on WikiLeaks, and we're likely to see more Apple-related WikiLeaks as the Vault 7 series continues. As it was with Year Zero, it'll still take some time for security analysts and experts to determine the full impact of today's leaks.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: WikiLeaks Continues 'Vault 7' With New Documents Detailing Mac-Related CIA Exploits

 

[arggg14]

Hope they bring a dongle to install the malware!

 

[magicschoolbus]

Not surprising the government has a secret arsenal of weapons to gather cyber information on multiple platforms and devices. The part that bothers me is how far they go to do it to the average person.

 

[smallcoffee]

Well, on one hand I am thinking these people really know what they're doing, even when we hear about "the screw ups". On the other hand I don't like knowing how powerless people are on the individual level against this type of stuff. Nothing is safe. Nothing.

 

[Corrode]

Hope they bring a dongle to install the malware!

Don't you get it?? The dongle IS the malware.

/s

 

[Juicy Box]

The project in question, created and spearheaded by the CIA's Embedded Development Branch, is called the "Sonic Screwdriver" and represents a mechanism that can deploy code from a peripheral device -- a USB stick, or the "screwdriver" -- while a Mac is booting up.

So, it sounds like code could only be done with having physical access to the device itself.

Interesting spy stuff.

 

[smallcoffee]

So, it sounds like code could only be done with having physical access to the device itself.

Interesting spy stuff.

Yes. Physical security is #1. Without it, you're compromised.

I will post a good security guide I found:

https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md

 

[now i see it]

Well there you go folks. These are all spying devices. Probably the most harmful thing Apple has done is try to con their customers into thinking their gadgets are secure.

Might as well just blog our life story, daily correspondence and inner secrets on Facebook and be done with it.

 

[iapplelove]

Not surprising the government has a secret arsenal of weapons to gather cyber information on multiple platforms and devices. The part that bothers me is how far they go to do it to the average person.

What's more bothersome is if these exploits get into the wrong hands. And that's entirely possible.

 

[Rocketman]

This likely means the Justice department lied to the court in the SB iPhone case. I wonder if there will be prosecutions?

 

[Juan007]

How can I check my devices for this crapware? Apple should release a scan tool asap.

 

[WinstonRumfoord]

What's more bothersome is if these exploits get into the wrong hands. And that's entirely possible.

When, not if.

 

[Juicy Box]

Probably the most harmful thing Apple has done is try to con their customers into thinking their gadgets are secure.

I think it is a little different when you are talking about this situation, considering you need physical access to the device.

Also, I don't ever remember Apple saying that Macs were 100% secure for any attack. They did say that iPads don't get PC viruses though, which is true. Just like I don't get PC viruses.

 

[itsamacthing]

Is anyone really surprised at this revlelation at this point? At the same time, I certainly don't want planes blowing up or crashing into towers. Where is the equilibrium point?

 

[H2SO4]

I think it is a little different when you are talking about this situation, considering you need physical access to the device.

Also, I don't ever remember Apple saying that Macs were 100% secure for any attack. They did say that iPads don't get PC viruses though, which is true. Just like I don't get PC viruses.

It’s disingenuous.

 

[5105973]

So, it sounds like code could only be done with having physical access to the device itself.

Interesting spy stuff.

Oh but they do get physical access to our stuff. They intercept it en route to its final destination:

https://arstechnica.com/tech-policy...de-factory-show-cisco-router-getting-implant/

Quote from that article:

"The document, a June 2010 internal newsletter article by the chief of the NSA’s Access and Target Development department (S3261) includes photos (above) of NSA employees opening the shipping box for a Cisco router and installing beacon firmware with a “load station” designed specifically for the task.

The NSA manager described the process:

Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO."


Cisco has been having a rough time with its international customers trusting its equipment and for good reason. It's not Cisco's fault, their equipment leaves the factory "clean".

I have no idea if the government spooks bother with any of us. I guess it would depend on what you do for a living.

 

[A MacBook lover]

It’s disingenuous.

Security isn't black and white.

You can be like some manufacturers with thousands of kernel exploits and remote access to microphones and cameras.

Or like Apple with far less exploits that are limited by having physical access to the device.

 

[Juicy Box]

It’s disingenuous.

What is? Apple's thoughts on the iPad getting PC viruses? or physical vulnerabilities of a Mac? If it is the latter, then I wouldn't fault Apple for this, unless it is something they allowed/knew about.

 

[guzhogi]

Might as well just blog our life story, daily correspondence and inner secrets on Facebook and be done with it.

Some folks do, and then complain about how the government spies on them.

They did say that iPads don't get PC viruses though, which is true. Just like I don't get PC viruses.

Not sure if being sarcastic. But that's kind of BS. Any device able to receive files can get a virus. The real question is whether they're affected by said virus, like some digital form of Typhoid Mary.

 

[69Mustang]

This likely means the Justice department lied to the court in the SB iPhone case. I wonder if there will be prosecutions?

This doesn't mean anything of the sort. That was an FBI issue. Remember, we're talking about the government - more specifically the CIA. Agencies tend not to share their toys. Even if they were willing to share, the likelihood that they'd expose their ability to access smartphones over (to them) an inconsequential case is slim to none (slim went home).

The most worrisome portion of this reporting is the infestation at the supply chain level. If the exploits are embedded before the device even reaches your hands...

 

[Juicy Box]

Oh but they do get physical access to our stuff. They intercept it en route to its final destination:

https://arstechnica.com/tech-policy...de-factory-show-cisco-router-getting-implant/

Quote from that article:

"The document, a June 2010 internal newsletter article by the chief of the NSA’s Access and Target Development department (S3261) includes photos (above) of NSA employees opening the shipping box for a Cisco router and installing beacon firmware with a “load station” designed specifically for the task.

The NSA manager described the process:

Here’s how it works: shipments of computer network devices (servers, routers, etc,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO."


Cisco has been having a rough time with its international customers trusting its equipment and for good reason. It's not Cisco's fault, their equipment leaves the factory "clean".

I have no idea if the government spooks bother with any of us. I guess it would depend on what you do for a living.

I actually wondered about this stuff a while back. Obviously the CIA wouldn't target me, but I wondered if they intercept devices to get back door access. I also wondered if the OEMs are in cahoots with the CIA and allow it.
[doublepost=1490278823][/doublepost]

Not sure if being sarcastic. But that's kind of BS. Any device able to receive files can get a virus. The real question is whether they're affected by said virus, like some digital form of Typhoid Mary.

I wasn't being sarcastic, but I was just pointing out something silly that Apple is currently advertising. Apple doesn't use the word "infected", but if you watch the ad, they imply that "get" is the same thing.

This video isn't as bad as the "word" ad, with the idiot saying "worrrrd" over and over again, but still pretty dumb.

 

[litmag01]

The first half, meh, ok. Second part "interdicting shipments" not so much.

 

[Krizoitz]

All of this assumes that:
1) Wikileaks information is accurate
2) Wikileaks is honest

Plenty of reason to doubt both these days.

And unless the supply chain is actually compromised, then physical access is required, and if someone has physical access to your advice, its as good as compromised, thats always been true.

 

[Sasparilla]

Not too suprising. The updated BIOS specification UEFI (I think that is right) was truly a bad thing that was done to the PC and Intel Mac (mainstreamed long after 9/11 and pushed by Microsoft and Intel both willing partners in all this mass surveillance stuff with our government) - once compromised, giving a persistent bootable threat that comes back after OS clean installs.

It's good to remember from the Snowden files, the CIA also tried to compromise Apple's compilers (unknown where they got with that):

https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

Looking forward to leaks getting all the exploits out to the mfrs so they can be closed...our guys aren't way smarter than the Russians, Chinese or black market folks who will have figured them out and be using them as well.

Well there you go folks. These are all spying devices. Probably the most harmful thing Apple has done is try to con their customers into thinking their gadgets are secure....

I have to disagree there. While there are ways for these folks to compromise a Mac, they aren't intercepting all shipments and compromising them all - you need to be an active target. It's good to keep in mind that from the Snowden docs we could see the govt was actively going after Apple, obviously, because Apple wasn't a willing partner in all this. You didn't see any articles like that about Microsoft or any of the PC Mfr's (or Juniper or Cisco Systems for that matter). So, its a good bet, from a personal privacy standpoint (from mass surveilance) Apple was and still is probably the best you could do.

 

[tennisproha]

Again, it shouldn't come as a surprise to anyone that the Central Intelligence Agency has tools to conduct espionage. It's literally their job description. This has been known for a long time. These Wikileaks revelation just state the obvious. So calm down everyone.

No, the CIA in not spying on you. These tools are used for statecraft, espionage, and terrorism threats. The CIA doesn't care about the porn you have on your Mac. Calm down.

The CIA does not spy on its own citizens en-masse either. They don't have the manpower. The NSA however is a different and separate story.

This is another rouse to get you riled up like last time. No actual tools were released. Just the knowledge that the CIA possesses the ability, which we already knew. No big deal. Calm down.