WikiLeaks has published a selection of 12 CIA documents about hacking iPhone and Mac in 2008-2013

The Apple Thunderbolt-to-Ethernet adapter, manufactured in 2012 by the CIA, has the Sonic Screwdriver code (as a sound screwdriver from Doctor Who) recorded on the firmware for launching the program from a peripheral device, even if the Mac is password-protected. So you can boot from a flash drive / CD / DVD and install the tools on your computer without removing the password from the Mac

Although Julian Assange said that the first portion of Year Zero represents less than 1% of the total collection of documents of the CIA Vault 7, but is not in a hurry to publish the sequel. Today, WikiLeaks posted a modest selection of 12 Dark Matter documents . This compilation dates back to 2008–2009, plus two documents for 2012–2013 and is exclusively devoted to hacking tools for Mac computers and iPhones. Basically, these are user guides for using programs.

Documents prove that the CIA has long been constantly breaking open the protection of Apple devices in various ways. In the list of hacked there are absolutely all models of MacBook Pro and MacBook Air laptops until the end of 2013, the latest model is MacBook Pro 11.2 (15 "Retina). It is difficult to doubt that the CIA and all subsequent models have similar tools, just WikiLeaks for some reason did not publish a description of these more modern implants.

Many of the presented tools in the Dark Matter selection interact at the EFI / UEFI firmware level (like BIOS). This means that they are not affected by password protection. If they overwrite the firmware, they remain in the system almost forever. However, in most cases, to install the implant requires physical access to the computer.
')
Tool list

• SeaPea v2.0 : rootkit for installation on OS X 10.3.0-10.4.0
• NightSkies v1.2 : iPhone 3G implant running in the background
• DarkSeaSkies v1.0 : EFI MacBook Air residence permit implant that installs DarkMatter core space implant in OS X 10.5 and NightSkies user space implant
• Triton v1.3 : Automated Implant for OS X 10.7-10.8
• DerStarke v1.4 : Triton is a diskless version for writing to EFI, the network communications in the system are implemented through a browser process, tested in models MBA4.1, MBA4.2, MBA5.2, MBA6.1, MBP6.2, MBP8.1, MBP8 , 2, MBP9.1, MBP10.1, MBP10.2
• Sonic Screwdriver : Mac password bypass protection, tested in models MBA4.1, MBA4.2, MBA5.1, MBA5.2, MBP8.1, MBP8.2, MBP9.1, MBP9.2, MBP10.1, MBP10.2

All submitted tools are developed in the Embedded Development Branch (EDB).

Although the CIA programs shown are more or less outdated, they do give a general idea of ​​the ways in which EDB experts hack Apple technology. They also demonstrate that the CIA continuously sought out new ways of hacking and attack vectors. In general, they were constantly at the forefront of technical progress in hacking techniques. "It seems that the CIA were among the first to start hacking EFI," said Pedro Vilaca, a security specialist who has been studying Apple technology for many years. - It is evident that they were very interested in hacking Mac / iOS, which makes sense, because valuable goals like to use [it]. It is also interesting to look at the lag between their tools and public research. Of course, there are always unpublished studies, but it's cool to see them ahead. ”

For example, take the same "sonic screwdriver" Sonic Screwdriver, described in the user manual of November 29, 2012 . Apparently, it was this attack Thunderstrike for the first time in public demonstrated by the hacker Trammell Hudson (Trammell Hudson). It happened at the end of 2014, that is, the hacker scene lagged behind the CIA by about two years.


Trammell Hudson's Thunderstrike device, probably similar to the Sonic Screwdriver developed by the CIA

Trammell Hudson, on the other hand, hinted at his twitter account that the CIA itself could borrow ideas from the community. In July 2012, at the hacker conference Black Hat USA, the hacker Snare reported on the attack on the EFI firmware via Thunderbolt, and in November a ready-made tool from the CIA appeared.


Well, if WikiLeaks still publishes the archive of the CIA documents along with the files in full in the near future, then we have a chance to reduce the technological gap with the CIA. But not for long. Still, the Office has very powerful resources: thousands of hackers work there, and due to their influence and large financial resources, they can hire contractors from the outside, buy 0day-vulnerabilities and ready-made exploits from third parties. Even if it happens that some of the independent hackers present a tool to the public that is not in the CIA’s arsenal, they will certainly pay close attention to it, follow its research, may be invited to work, etc. It’s difficult to count on a successful fight independent community with a powerful state machine.