In their ongoing efforts of leaking government security documents, WikiLeaks has just dropped the latest in their Vault 7 collection. Titled “Dark Matter,” this release contains documents showcasing various projects undertaken by the CIA to infect Apple computer systems and iPhones. The Mac specific infections are considered a bit more serious to combat, considering they infect the EFI and persist even after re-installations.
The Sonic Screwdriver project, aptly titled after a Doctor Who gadget that opens just about anything, is nefarious in the way that it can easily infect other systems. The project can be launched from a USB stick, or even on an Apple Thunderbolt-to-Ethernet adapter with modified firmware.
According to what WikiLeaks shared, the documents state that the attack can happen even if the computer is locked down with a firmware password. This exploit sounds very similar to what Pedro Vilaca discovered mid-last year.
The other CIA exploit projects stem around remaining EFI-persistent after installation. EFI, or Extensible Firmware Interface, is Apple’s equivalent to the BIOS seen in PC systems. As it’s “baked-in” to each Mac, removing or clearing the EFI doesn’t occur when re-installing macOS from scratch. In the new “Dark Matter” release WikiLeaks shares that DarkSeaSkies specifically implants itself into the EFI on MacBook Air computers. They state it is a combination of the DarkMatter, SeaPea, and NightSkies tools that “implant” themselves into the EFI, kernel-space, and user-space respectively.
Potentially scarier in this release is the manual for the NightSkies tool made specifically for iPhone. NightSkies version 1.2 had been out since 2008 and according to WikiLeaks was specifically designed to be installed on “factory fresh iPhones.” This has led WikiLeaks to believe that “the CIA has been infecting the iPhone supply chain of its targets since at least 2008.”
As with most of these leaks in the previous weeks, many of these releases dictate software vulnerabilities that no longer exist. Will Strafach, security researcher, took to Twitter to remind others that none of these vulnerabilites are new or should be of concern.
From the short WikiLeaks summary shared today, all of these vulnerabilities required physical access to the victim’s machines. The most recent security releases all seem to stem from years old vulnerabilities that Apple has already acknowledged as being fixed.
While these vulnerabilities may be patched and fixed on those on the most up-to-date software, it still begs the question what else exists that has yet to be disclosed.