Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    The trail of documents leaked by Wikileaks continues. After having published almost 9,000 documents about "Vault 7" , which contain information on spy tools used in Smart TVs, smartphones, computers and even cars, Wikileaks returns to the attack with details about how the Mac and iPhone have been spied by the CIA for several years .

    WikiLeaks leaked 12 new documents that provide a more in-depth look at the hacking techniques that the CIA allegedly used to hack Apple devices, such as Macs and iPhones. This leak, which WikiLeaks identifies under the code name Dark Matter, is part of a series of dumps called Vault 7, which WikiLeaks claims are hacking tools obtained from the CIA. 

    The first leak, called Year Zero, came to light in early March and included wiki pages from the CIA intranet, with documentation for some of the CIA's cyber weapons.

    In this original leak, documents related to the CIA's supposed arsenal of OS X and iOS hacking tools were included. Today's Dark Matter dump provides 12 new documents that contain much more information about those tools. 

    Wikileaks had promised that those 9,000 documents were just the beginning, and that's how it was. Today they are unveiling the project "Dark Matter", which belongs to "Vault 7" and which consists of espionage tools for Apple devices. These would be able to directly infect the computer's firmware, which means that neither reinstalling the operating system would eliminate the infection.

    Dark Matter


    For example, Sonic Screwdriver is a hacking tool that CIA operators can deploy from an Apple Thunderbolt adapter to Ethernet.

    This hacking tool allows the operator to execute malicious code from a USB, CD, DVD or portable hard drive, during the boot of a Mac, even if the firmware of the Mac is password protected . 

    Another tool, called DarkSeaSkies , "is an implant that persists in the EFI firmware of an Apple MacBook Air computer, installs a Mac OSX 10.5 implant and executes a user space implant." 

    In addition, DarkSeaSkies includes smaller components. 

    DarkSeaSkies consists of three different tools:

    • 1. DarkMatter : An EFI controller that persists in the firmware and installs the other two tools.
    • 2. SeaPea: A Mac OSX implant for the space of the kernel that executes, and provides stealth and privilege to the implants of the user's space.
    • 3. NightSkies : A Mac OSX implant for the user's space that goes to a listening post and provides control and command.

    The other two tools, Triton and DerStarke , are related. Triton is an automated implant for Mac OS X, while DerStarke is a diskless, EFI-persistent version of Triton. 

    As you can see, all the tools are directed to the EFI / UEFI (Unified Extensible Firmware Interface ) specification, which is a software component that helps with the initialization of hardware components while the operating system, the old BIOS, is started. 

    The placement of malicious code in EFI / UEFI assures an attacker the possibility of executing that malicious code on each boot, even if users re-install their operating system.

    "Sonic Screwdriver"

    These new documents detail how the CIA has been infecting MacBook Air devices over the past few years using something they have dubbed "Sonic Screwdriver", yes, in honor of the famous Doctor Who weapon. This tool can be placed on all types of USB devices, peripheral cables and adapters , such as the Thunderbolt to Ethernet that is widely used in this notebook, which when connected to the computer install spyware programs, regardless of whether it is protected by a password. 

    This malicious code is installed during the boot of the computer and is stored permanently in the kernel, so access credentials or some other data is not needed, and it remains even if the entire device is formatted. The worrying thing about this is that the documents reveal that the CIA has continued using this tool during 2016, and they have even updated it for new Mac computers, regardless of whether they are portable or desktop. 

    Within "Dark Matter" we also find other spy initiatives such as "NightSkies 1.2", which is used since 2008 to infect new iPhoneIt should be noted that this tool, which is a "beacon / loader / implant" has also been updated over time, but unlike the Mac, it is designed to be installed on new devices. This means that the CIA has intercepted iPhone orders and directly attacked production lines to place this malware on the devices, something they have been doing at least since 2008. 

    Wikileaks notes that the Mac tool is very specific for well-located targets, where They have placed modified cables and adapters with the idea of ​​spying on certain groups in different parts of the world. But the case of the iPhone is different, since here the entire production chain had to be attacked, which means that many iPhone have this malware installed without the user knowing.

    CIA pointed to iPhones one year after its launch

    Although it does not appear prominently in the description of the tool, the DarkSeaSkies NightSkies module also comes with support for iPhone devices. 

    A July 2008 document, one year after the launch of the iPhone , details how NightSkies could provide "upload, download and execution capability" on Apple iPhone 3G v2.1 devices. 

    The document says that CIA operators needed physical access to install the NightSkies implant , but once installed, NightSkies would only work when it detected user activity on the device, hiding traffic between the user's actions. This provides an attacker sponsored by the state as the CIA with the advantage that all APTs want more, which is stealth.

    Although the leaked documents do not mention this detail, WikiLeaks states that NightSkies "is expressly designed to be physically installed on fresh factory iPhones," and that "the CIA has been infecting the iPhone supply chain of its targets since at least 2008. " 

    At the time of writing the CIA has never officially recognized the authenticity of the leaked WikiLeaks documents. However, motherboard pointed out yesterday that the Agency had asked a judge not to allow documents downloaded by WikiLeaks in a case, as they were "classified content", accidentally acknowledging their authenticity. 

    More information | Wikileaks

    It is not clear if the CIA has the ability to hackmore modern products and security measures much stricter than those of then, although it is obvious that this is one of your goals. 

    It is also clear that Apple is not particularly happy with these revelations, judging from the statement issued by the Cupertino firm:

    We have made a preliminary assessment of the WikiLeaks revelations this morning. Based on our initial analysis, the vulnerability only affected the iPhone 3G and was solved in 2009 when the iPhone 3GS was launched. Additionally, our preliminary assessment shows that the alleged vulnerabilities were resolved in all Macs launched after 2013.

    We have not negotiated with WikiLeaks to obtain any information. We have provided them with instructions to deliver any information they desire under our normal process under our standard terms. At the moment we have not received any information from you that is not in the public domain. We constantly defend the security and privacy of our clients, but we do not condone the theft or we coordinate with those who threaten to harm our users.

    The tone used by Apple is not the usual one. Partly because, although WikiLeaks has offered to collaborate with the companies affected by these tools to cover their security holes, the organization has indicated that it will only do so if the affected firms accept a series of undisclosed conditions.