WikiLeaks began publishing a cache of data pilfered from the CIA several weeks ago, and the process isn’t anywhere close to over. The last round of leaks covered the covert tools used by the CIA to exploit Android, Windows, and other platforms. This time it’s Apple’s turn in the spotlight. The “Dark Matter” documents describe how the CIA has sought to crack Apple’s products, including the MacBook and iPhone.
As with the previous dump of CIA documents, these are all about five to seven years old. They likely have little relation to what the agency is using now to gain access to devices. Still, it’s interesting to see what technological spycraft looks like, even if it’s a little out of date.
On the MacBook side of things, the CIA had several tools aimed at breaking the security model of OS X circa 2008. One tool was known as Sonic Screwdriver (the CIA likes Doctor Who references) that enables agents to bypass the firmware password on the computer as it boots. Sonic Screwdriver can be introduced via a Thunderbolt or USB port, allowing the installation of other tools on the device without the user’s knowledge.
There are also the Triton and Der Starke packages for the MacBook. They both do similar things when infiltrated into the firmware of a Mac. The both give the CIA access to all the files and activities on your computer, and they’re undetectable by anti-malware apps. Sonic Screwdriver is an ideal way to deliver these tools to a target machine.
It’s unclear if the above MacBook tools still function, but I doubt it. One tool that’s almost certainly dead is DarkSeaSkies, which was developed exclusively for the original MacBook Air in 2009. This tool is also installed in firmware to spy on the user, but it was much less elaborate. The CIA likely moved on to Triton and Der Starke.
The only document that covers the iPhone is from 2008, which was shortly after the device debuted. It focuses on the iPhone 3G (the second iPhone ever) with iOS 2.1. It’s called NightSkies, and again it requires physical access to the device. It remains dormant until it detects user activity, then pings a control server. The remote operator can use NightSkies to steal files, monitor user activity, and even block encryption for secure communications.
All these leaks come from the operational manuals, which don’t include technical details of the hacks. WikiLeaks has promised to provide technical details to affected companies, but thus far that hasn’t happened. WikiLeaks is reportedly insisting on onerous conditions before anything is disclosed.