At the beginning of this month, the WikiLeaks exposed, through documents, a secret CIA division dedicated to hacking iPhones and other devices; now, continuing the matter, the site has today made available new files which cover documentation for some CIA projects dedicated to the Mac.
Entitled "Dark Matter" (?Dark Matria?), this new leak addresses tools developed by the agency that aim to infect the firmware of Mac computers, which makes it stay on the machine even after a reinstallation of the operating system. Among the projects that gained more attention in this leak is the Sonic Screwdriver (Basic Screwdriver), a reference to a multifunctional tool used by the main character of the British series ?Dr. Who ?.
Sonic Screwdriver (v1.0)
Such a project, according to the documents, was a mechanism to run codes on peripheral devices while an Apple notebook or desktop was turned on; when pricking a USB stick on the Mac, for example, the attack was initiated even if the computer had a firmware password enabled. The malicious CIA code was stored in the modified firmware of an Apple Thunderbolt to Ethernet adapter.
Remember the vulnerability found by the Portuguese researcher Pedro Vilaa? We are talking about something very, very similar.
Another project addressed by the new documents is DarkSeaSkies. Before explaining what it is about, it is worth a brief passage about what an Extensible Firmware Interface is. Known by the acronym EFI (Extensible Firmware Interface), it represents for Macs what the BIOS represents in the Windows world, that is, a specification that defines a software interface between the operating system and the platform firmware.
EFI shipped on all Macs; even if the user reinstalls the system, the interface is not removed or cleaned. Because exactly what the project DarkSeaSkies acts: the idea to deploy the code at EFI, being a mixture of several tools already covered in the leaked documents (DarkMatter, SeaPea eNightSkies these tools that are implanted in the EFI, in the space dedicated to the kernel and the user, respectively).
The tool Triton, in turn, described as an automatic implant. Once installed, it can be used to perform automated and immediate tasks that feed data and information and send it back. THE Triton you can, for example, inject and run software remotely to search for files / folders and more.
Der Starke (v1.4)
O Der Starke very similar to Triton, but a persistent version of EFI designed to run on OS X macOS 10.7 or higher, and is also compatible with Linux. The tool manifests itself by executing its network communications through a browser so that it is not detected by programs like Little Snitch, for example.
The documents, however, also cover tools designed for iPhones, such as the NightSkies. It is a loader, something designed to be physically implanted on an iPhone that is leaving the factory. Version 1.2 of NightSkies 2008 (a year after the original iPhone was released), which led WikiLeaks to suggest that the CIA has infected the iPhone's supply chain since then.
· · ·
Worrisome? For some, no doubt; for others, like security researcher Will Strafach (the famous @chronic), no.
I truly hope it goes without saying, but if not: I have verified that the new release contains nothing of concern. most things are ancient. https://t.co/0JSSc0UgF0
– Will Strafach (@chronic) March 23, 2017
According to Strafach, as well as in the first leak related to the Vault 7 (?Vault 7?), many or all? these vulnerabilities have been fixed by Apple for some time.
(via AppleInisider, Cult of Mac, 9to5Mac)
Update · 03/23/2017 s 22:57
Apple reported that * all * the vulnerabilities exploited by the CIA tools shared in this latest batch of WikiLeaks documents have now been addressed. properly corrected.
Here is the company's statement, given to TechCrunch:
We preliminarily evaluated this morning's WikiLeaks disclosures. Based on our initial analysis, the alleged vulnerability of the iPhone affected only the iPhone 3G and was fixed in 2009, when the iPhone 3GS was launched. In addition, our preliminary assessment shows that the alleged Mac vulnerabilities were previously fixed on all Macs released after 2013.
We do not negotiate with WikiLeaks for any information. We have given them instructions to send the information they want through our normal process, in accordance with our standard terms. So far, we have not received any information from them that is not in the public domain. We are relentless advocates for the security and privacy of our users, but we do not tolerate theft or coordination with those who threaten to harm our users.