Latest leaked CIA hack focuses on Apple's macOS, utilizes patched Thunderbolt EFI exploit
A second batch of CIA "Vault 7" documents published by WikiLeaks reveals some penetration methods for Mac hardware in-use by the CIA, none of which are wide-reaching, requiring physical device access to implement.
Thursday's dump, significantly smaller than the first, is Apple-oriented and covers some macOS vulnerabilities and attack vectors utilizing attacks on the EFI routines that control the boot process. "DarkSeaSkies" is aimed at the MacBook Air, and introduces an EFI injection called "DarkMatter" that will subsequently install a "SeaPea" kernel attack, and a "NightSkies" malware and keylogging pacakge.
The DarkSeaSkies package is delivered by a "Sonic Screwdriver" -- either a USB flash drive or modified Thunderbolt to Ethernet adapter leveraging a Thunderbolt exploit that was first discovered in 2014, and patched in 2015.
An offshoot of "NightSkies" is also available for the iPhone dating back to 2008, and could be installed by "interdicting mail orders and other shipments" according to WikiLeaks -- but is still not a remote attack.
Other documents from Thursday's release include the possibility of the "DerStarke" package used to attempt to break in to OS X Mavericks still under development, at least through part of 2016. It also addresses EFI compromise, but still appears less developed than the particular to MacBook Air "SeaPea" vector.
While WikiLeaks notes that the EFI exploits persist after a reboot, what they actually do is reinstall themselves after reboot if not mitigated. An Apple firmware update appears to purge the exploit permanently, until re-infected by someone with physical access to the machine.
The CIA's Center for Cyber Intelligence (CCI) responsible for the leaked computer intrusion methods purportedly has over 5000 members. The group has allegedly targeted more than 10,000 individuals world-wide, spanning iOS, Windows, and Android devices including smart televisions.
The previous reveal on March 7 spanned 8,761 files, and contained 14 iOS exploit and penetration methods. The latest dump is notable for being so specifically targeted at Apple hardware -- a targeted release made by WikiLeaks for reasons only known to themselves.
However, as with the last WikiLeaks reveal, most AppleInsider readers aren't impacted. All of the leaked CIA attacks continue to not be a wide-spread net, with nearly all of the published exploits demanding physical access to equipment and time to install.
Thursday's dump, significantly smaller than the first, is Apple-oriented and covers some macOS vulnerabilities and attack vectors utilizing attacks on the EFI routines that control the boot process. "DarkSeaSkies" is aimed at the MacBook Air, and introduces an EFI injection called "DarkMatter" that will subsequently install a "SeaPea" kernel attack, and a "NightSkies" malware and keylogging pacakge.
The DarkSeaSkies package is delivered by a "Sonic Screwdriver" -- either a USB flash drive or modified Thunderbolt to Ethernet adapter leveraging a Thunderbolt exploit that was first discovered in 2014, and patched in 2015.
An offshoot of "NightSkies" is also available for the iPhone dating back to 2008, and could be installed by "interdicting mail orders and other shipments" according to WikiLeaks -- but is still not a remote attack.
Other documents from Thursday's release include the possibility of the "DerStarke" package used to attempt to break in to OS X Mavericks still under development, at least through part of 2016. It also addresses EFI compromise, but still appears less developed than the particular to MacBook Air "SeaPea" vector.
While WikiLeaks notes that the EFI exploits persist after a reboot, what they actually do is reinstall themselves after reboot if not mitigated. An Apple firmware update appears to purge the exploit permanently, until re-infected by someone with physical access to the machine.
The CIA's Center for Cyber Intelligence (CCI) responsible for the leaked computer intrusion methods purportedly has over 5000 members. The group has allegedly targeted more than 10,000 individuals world-wide, spanning iOS, Windows, and Android devices including smart televisions.
The previous reveal on March 7 spanned 8,761 files, and contained 14 iOS exploit and penetration methods. The latest dump is notable for being so specifically targeted at Apple hardware -- a targeted release made by WikiLeaks for reasons only known to themselves.
However, as with the last WikiLeaks reveal, most AppleInsider readers aren't impacted. All of the leaked CIA attacks continue to not be a wide-spread net, with nearly all of the published exploits demanding physical access to equipment and time to install.
Comments
We did. We're good at what we do. All of us here have been dealing with Apple security for a very long time, longer than WikiLeaks, and some of us even have government service.
For the record, I would love for you to be right about this. Fingers crossed.
Their document leaks, pre-WikiLeaks examination, are 99% accurate, if not always complete. Their in-house assessments of technical matters like this in their press releases are almost always wrong, and over-sensationalized like this batch specifically aimed at Apple products because it doesn't look like Cook and company are playing ball.
We're not the only place who assesses the attacks as needing physical access. Apple and a whole horde of researchers say the same thing.