Latest leaked CIA hack focuses on Apple's macOS, utilizes patched Thunderbolt EFI exploit

Posted:
in Mac OS X
A second batch of CIA "Vault 7" documents published by WikiLeaks reveals some penetration methods for Mac hardware in-use by the CIA, none of which are wide-reaching, requiring physical device access to implement.




Thursday's dump, significantly smaller than the first, is Apple-oriented and covers some macOS vulnerabilities and attack vectors utilizing attacks on the EFI routines that control the boot process. "DarkSeaSkies" is aimed at the MacBook Air, and introduces an EFI injection called "DarkMatter" that will subsequently install a "SeaPea" kernel attack, and a "NightSkies" malware and keylogging pacakge.

The DarkSeaSkies package is delivered by a "Sonic Screwdriver" -- either a USB flash drive or modified Thunderbolt to Ethernet adapter leveraging a Thunderbolt exploit that was first discovered in 2014, and patched in 2015.

An offshoot of "NightSkies" is also available for the iPhone dating back to 2008, and could be installed by "interdicting mail orders and other shipments" according to WikiLeaks -- but is still not a remote attack.

Other documents from Thursday's release include the possibility of the "DerStarke" package used to attempt to break in to OS X Mavericks still under development, at least through part of 2016. It also addresses EFI compromise, but still appears less developed than the particular to MacBook Air "SeaPea" vector.

While WikiLeaks notes that the EFI exploits persist after a reboot, what they actually do is reinstall themselves after reboot if not mitigated. An Apple firmware update appears to purge the exploit permanently, until re-infected by someone with physical access to the machine.

The CIA's Center for Cyber Intelligence (CCI) responsible for the leaked computer intrusion methods purportedly has over 5000 members. The group has allegedly targeted more than 10,000 individuals world-wide, spanning iOS, Windows, and Android devices including smart televisions.

The previous reveal on March 7 spanned 8,761 files, and contained 14 iOS exploit and penetration methods. The latest dump is notable for being so specifically targeted at Apple hardware -- a targeted release made by WikiLeaks for reasons only known to themselves.

However, as with the last WikiLeaks reveal, most AppleInsider readers aren't impacted. All of the leaked CIA attacks continue to not be a wide-spread net, with nearly all of the published exploits demanding physical access to equipment and time to install.

Comments

  • Reply 1 of 10
    lkrupplkrupp Posts: 4,702member
    Bottom line? Apple’s platform is still vastly more secure than the competition (Windows and Android). Apple is getting all the press about this simply because it’s Apple. Nonetheless, it is now perfectly clear that no platform is entirely secure. So what to do? Take common sense precautions and subscribe to the ‘school of fish’ approach. Think about how or even if you personally would be targeted by state actors. Education about passwords and password vaults is essential. Using 1Password EVERY online account I have has a different password. So if the bad guys steal my password from The Home Depot all I have to do is change that ONE password. I use two factor authentication wherever possible like Social Security, Amazon, Apple. Don’t allow the online account to save your credit card number. Alas the convenience factor will prevent a lot of people from using common sense.
    macxpresslongpath
  • Reply 2 of 10
    longpathlongpath Posts: 132member
    The vulnerability of Intel's EFI, USB, and Thunderbolt firmware specs was known; but actual functional exploits, as opposed to proof of concept demonstrations, were not. Hopefully, this will be adequate impetus for Intel to resolve these issues in their underlying technology specifications.
  • Reply 3 of 10
    Since android is basically wide open, the CIA didn't need to make any special programs to develop exploits against Android, etc.   Apple is pretty secure, so they had to work hard.  Nice to see that most of these exploits require physical access.
  • Reply 4 of 10
    Apple products are by far more secure than those offered by any other vendor. I'm considering writing and releasing an unbreakable one-time cipher solution and training material on how to operate a secure computing environment. My platform of choice? OS X. Why? Even though I've been developing applications on Windows since the 1990s, the Apple products offer the most secure environment upon which to build. My background includes setting up and managing an approved Sensitive Compartmented Information Facility (SCIF) and development of classified software for many years. I understand the vulnerabilities which must be protected against, the strengths and weaknesses of the tools and technologies available, and how to prevent data exfiltrated, whether by external attacks or insiders.
    factnotfeelings
  • Reply 5 of 10
    This article is not completely truthful. These can indeed be installed remotely, and there is no "purge" of the exploit. It's not even detectable and is basically part of the computer from now on.
  • Reply 6 of 10
    This article is not completely truthful. These can indeed be installed remotely, and there is no "purge" of the exploit. It's not even detectable and is basically part of the computer from now on.
    Read the leaks again. None of these are Internet-installable remotely on Apple hardware. Bar none, 100% need physical access to the device. We made no claims about detectable, but an EFI update will, in fact, remove the exploit. Getting that done is a bit of a challenge, though, as there's no routine way to perform an EFI update.

    If the WikiLeaks documents are accurate, then the story is accurate as well.
    edited March 24
  • Reply 7 of 10
    You are assuming they aren't. But Wikileaks has said themselves that they are indeed remotely installable and are not "Fixable".
    edited March 25
  • Reply 8 of 10
    You are assuming they aren't. But Wikileaks has said themselves that they are indeed remotely installable and are not "Fixable".
    Wikileaks is often wrong in their breathless press releases trumpeting what they've found, and play fast and loose with the contents to get eyeballs. Apply your own advice, and look at the documents, not the release saying it exists, and get the facts -- not the emotional targeting that WL wants you to have -- of the specifics of the exploits.

    We did. We're good at what we do. All of us here have been dealing with Apple security for a very long time, longer than WikiLeaks, and some of us even have government service.
    edited March 25
  • Reply 9 of 10
    I've yet to see 1 time they've been wrong. And they are the source of your entire article. There is certainly no proof that this is not remotely installable.

    For the record, I would love for you to be right about this. Fingers crossed.
    edited March 25
  • Reply 10 of 10
    I've yet to see 1 time they've been wrong. And they are the source of your entire article. There is certainly no proof that this is not remotely installable.

    For the record, I would love for you to be right about this. Fingers crossed.
    There is LOADS of proof, straight from the documents themselves, that say that the exploits need physical access.

    It's REALLY hard to use a Thunderbolt exploit that needs a modified Thunderbolt to Ethernet adapter to get plugged in to get done across the internet. DerStarke is similar, and still requires physical access to plug in a compromised USB drive, if not root access from the get-go.

    Their document leaks, pre-WikiLeaks examination, are 99% accurate, if not always complete. Their in-house assessments of technical matters like this in their press releases are almost always wrong, and over-sensationalized like this batch specifically aimed at Apple products because it doesn't look like Cook and company are playing ball.

    We're not the only place who assesses the attacks as needing physical access. Apple and a whole horde of researchers say the same thing.
Sign In or Register to comment.