Connect with us

Hi, what are you looking for?


Endpoint Security

WikiLeaks Releases Data on CIA’s Apple Hacking Tools

CIA Apple hacking tools

CIA Apple hacking tools

WikiLeaks has released a new round of Vault 7 files. The latest dump, dubbed “Dark Matter,” details some of the tools allegedly used by the CIA to target Apple devices.

The tools are named Sonic Screwdriver, Der Starke, Triton, DarkSeaSkies, NightSkies and SeaPea and, based on the descriptions provided in the files made available by WikiLeaks, they can be used to spy on iPhones and Mac computers. However, in most cases, deploying them requires physical access to the targeted device.

Sonic Screwdriver, for instance, is a tool that can be used to execute code from a USB thumb drive or other external disk connected to a Mac laptop even if the firmware is protected by a password. The documents obtained by WikiLeaks show that Sonic Screwdriver is stored on the firmware of a Thunderbolt-to-Ethernet adapter.

The DarkSeaSkies implant is designed for targeting the EFI on MacBook Air computers, and it’s meant to be delivered via “a supply chain intercept or a gift to the target.” DarkSeaSkies relies on the DarkMatter EFI driver for persistence and installing other tools, and the SeaPea OS X rootkit for stealth and execution of other implants. One such implant is NightSkies, which provides command and control capabilities.

The documents show DarkSeaSkies can be installed by booting the targeted system with an external flash drive. The implant is persistent across OS upgrades and reinstalls, but it can be removed by the attacker using a special command. Under certain conditions, the implant may also remove itself automatically.

Another set of tools includes a piece of OS X malware dubbed Triton, its infector Dark Mallet, and Der Starke, the EFI-persistent version of Triton.

One version of the NightSkies tool is designed for targeting iPhones. Once installed on a device, it can be used to execute arbitrary commands, download additional tools to the phone, and steal various types of files, including the address book, SMS messages and call logs. NightSkies, which also requires physical access to the targeted device, is recommended for “factory fresh” devices.

The documents are dated 2008, 2009 and 2012, but WikiLeaks claims other Vault7 files show the CIA has continued to improve these tools. The organization also pointed out that the files show the intelligence agency has been “infecting the iPhone supply chain of its targets since at least 2008.”

Advertisement. Scroll to continue reading.

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks said.

Impact of the tools and risks

The first Vault7 dump summarized the CIA’s alleged hacking capabilities, and appeared to show that the agency is capable of spying on or through a wide range of devices. While actual exploits have not been published, the information that was made public did not describe any sophisticated tools and many of the vulnerabilities had already been addressed.

In the case of the Dark Matter dump, the fact that the Apple implants require physical access to devices makes them less dangerous. Nicholas Weaver, a researcher at the International Computer Science Institute of the University of California, Berkeley, pointed out, “if somebody has physical access to your computer, you can’t call it yours anymore.”

As for WikiLeaks’ supply chain claims, Weaver and others believe the organization’s statement may be misleading.

“Installing onto ‘factory fresh’ is not about interdiction but targeted delivery: the CIA asset gives the target a phone or a MacBook, this is the general extent of the ‘supply chain’ the CIA is concerned with,” Weaver told SecurityWeek via email.

“Interdiction in the ‘supply chain’ works very well for things like routers, which are big, expensive, few in number, shipped from the US, and to known customers,” he explained. “For example, a Cisco router sent to Syria. Basically you have to know that ‘his package is being shipped from location I can control to known target’ in order to intercept and sabotage.”

Weaver continued, “It doesn’t work for something you can buy at a local store or which is drop-shipped from a local warehouse in the country where it’s going to be used from any of a gazillion different vendors. The CIA doesn’t have a fleet of agents in foreign post offices that can grab such a package. And you don’t mass-poison (say at the factory) this way, for THAT you would have to sabotage the machine that programs up all the iPhones in the first place.”

On the other hand, Weaver pointed out that the WikiLeaks files reveal some interesting information about the CIA’s human intelligence (HUMINT) capabilities.

“At least one tool was specifically because the asset could give the target a MacBook Air, indicating that the target was very trusted by the asset,” the expert said. “Likewise, the two tools together which allow one to reflash firmware even when the EFI password was set says that the CIA had a case where a paranoid target had his computer with a very low level password in the firmware, and the asset would have access to the computer for a short period of time and needed to reflash the computer.”

Related: Cisco Finds Zero-Day Vulnerability in ‘Vault 7’ Leak

Related: Apple, Google Say Users Protected Against CIA Exploits

Related: “Vault 7” Leak Shows CIA Learned From NSA Mistakes

Related: Industry Reactions to CIA Hacking Tools

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.