The CIA Allegedly Hacked Macs and iPhones — A Decade Ago
According to Wikileaks
by LORENZO FRANCESCHI-BICCHIERAI
When WikiLeaks dumped a cache of hundreds of secret documents allegedly detailing the CIA’s hacking operations in early March 2017, Julian Assange promised that was just “less than one percent” of what the secret-spilling group had in its possession.
On March 23, 2017, WikiLeaks released a new cache of 12 documents, mostly detailing how the CIA allegedly hacked Apple computers and cellphones around a decade ago.
“These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware,” WikiLeaks stated.
EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for P.C.s. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed.
The documents are mostly from last decade, except a couple that are dated 2012 and 2013.
While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who’s been studying Apple computers for years.
Judging from the documents, Vilaca said it “looks like CIA were very early adopters of attacks on EFI.”
“It looks like CIA is very interested in Mac/iOS targets, which makes sense since high value targets like to use [those],” Vilaca explained. “Also interesting the lag between their tools and public research. Of course, there’s always unpublished research but cool to see them ahead.”
One example where the CIA appears to have anticipated what independent security researchers later found out is what the agency calls “Sonic Screwdriver,” a technique to infect Macs with malware stored in an Apple Thunderbolt-to-Ethernet adapter, according to one leaked document.
Sonic Screwdriver, according to Vilaca, appears to be the same attack that Trammel Hudson later showcased in late 2014 and dubbed Thunderstrike.
While the two techniques look similar, the CIA’s one appears to have different capabilities, and might have also been inspired by a talk at the Black Hat security conference in 2012, by a researcher known as Snare.
Sonic Screwdriver allowed the CIA to install its tools on a Mac even if the firmware password was enabled, while Thunderstrike allowed an adapter to overwrite the motherboard boot flash, which provided a more persistent intrusion.
Another document dated 2008 alleges that the CIA had developed a malicious implant for the iPhone that could be “physically installed onto factory fresh iPhones,” according to WikiLeaks.
“[NightSkies] is installed via physical access to the device and will wait for user activity before beaconing,” the document reads.
This suggest that just like the NSA, the CIA at some point might have been able to intercept iPhones and compromise them before they reached the target.
The CIA declined to comment.