(Roqayah Chamseddine) Since launching in 2006, Wikileaks has reportedly released over 10 million documents, including controversial disclosures that have helped unravel war crimes, uncover corporate secrets and even brought to light explosive revelations stemming from Hillary Clinton’s most recent presidential run.Read more »
The latest leaks from WikiLeaks’ Vault 7 is titled “Dark Matter” and claims that the CIA has been bugging “factory fresh” iPhones since at least 2008 through suppliers. The full documents are expected to be released after a 10 a.m. EDT “press briefing” that WikiLeaks promoted on its Twitter.
Here is a live stream of the press briefing with Julian Assange:
And here is the full press release from WikiLeaks:
Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.
Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStake” are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.
Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.
While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
Dubbed “Dark Matter,” the documents, a new addition to WikiLeaks’ ongoing “Vault 7” dump, detail hacks developed for iPhones and MacBooks as far back as 2008.
“These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware,” a WikiLeaks press release says.
By targeting the firmware, CIA hackers can remain in control of an infected device even if the target wipes the data and re-installs the operating system.
One such tool, known as “Sonic Screwdriver,” is, according to the CIA, a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting…”
By providing a target with a compromised peripheral device such as an Apple Thunderbolt-to-Ethernet adapter, which stores “Sonic Screwdriver” in its firmware, the CIA can gain persistence “even when a firmware password is enabled” on the target computer.
A 2008 document discussing an attack on iPhones, called “NightSkies,” reveals a malicious implant that would be physically installed on a new device. One method of deploying the hack could potentially involve intercepting an iPhone before it reaches a target.
“The tool operates in the background providing upload, download and execution capability on the device,” the document states. “NS is installed via physical access to the device and will wait for user activity before beaconing.”…