Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

WikiLeaks documents show CIA struggling to crack Apple gear, little danger to everyday folk

Last updated

While the revelations that the CIA has its own device penetration department, including a section for Apple equipment, a closer look at the revealed data shows an agency struggling with the realities of modern surveillance, and a increasingly sophisticated investigation target base.

Any penetration requires four major factors to be effective — a vector of attack, a deployable payload compromising the system, invisibility, and exfiltration of gathered data. Failure of any of the four makes the effort pointless.

Initial review of documentation revealed in the WikiLeaks publication of the "Vault 7" program documents shows a CIA having problems with combining all four factors on the newest Apple gear and software at the same time.

14 iOS exploits, codenamed: WildTurkey, McNugget, et al

Under an assortment of code names, the CIA developed or purchased many exploits, running all the way to iOS 9.2 in the end of 2015 — but the agency's own data reveals the ephemeral nature of the vectors.

Many are eradicated by a full reboot of the device. Others are purged by a restore.

It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier.

While some are remote, they still need to be specially crafted. The target needs to be convinced to visit a compromised page, or the exploit needs to be installed in a trusted page somehow.

Older devices and devices running early versions of iOS remain exploitable. However, older devices stuck on iOS 5 or the latest batch left behind with iOS 9 will not likely see security patches.

AirPort — project Harpy Eagle

The AirPort exploit effort remains relevant, despite the relative age of the leak. Apple's networking hardware hasn't been altered at all since the penetration efforts began, with only three firmware updates in nearly two years.

The Harpy Eagle documents show an extensive decompilation effort of Apple's code in order to "install a persistent rootkit into the flash storage" of the AirPort, as well as a close examination of the AirPort Utility on then OS X. Assuming the documents are relatively complete, the effort doesn't appear complete, with no fully functional or reliable exploits allowing the CIA to insert itself in a target's network through AirPort router hardware.

The effort appears partially stymied by not just Apple's security through firmware 7.7.3, but the custom codebase developed for the router — the same thing that has historically prevented the gear from compromise through a variety of other exploits that have plagued router manufacturers recently.

Given that the data dump is primarily from the tail-end of 2015, progress has likely been made — but Apple has released three updates in the same time frame. However, as demonstrated with exploits on other platforms, a new version of the AirPort firmware sets the agency back.

OS X Mavericks — project DerStarke

The documents about penetrating the then-new Mavericks is perhaps the most telling of the batch. The worklog detailing DerStarke discusses EFI bootloader compromise, as well as a way to "inject into" popular Internet traffic monitoring utility Little Snitch to prevent the target from spotting data transfer.

Once again, the documents express the difficulty of adjusting to a "moving target" after Apple's hardware and software updates.

It appears that the OS X/macOS tools are more advanced than those for iOS — which makes sense, as the underpinning of OS X has been around since the turn of the century and OS X is far more open than iOS is.

Sensational, but of little actual impact

AppleInsider has yet to plow through all of the nearly 9000 multi-page documents released in just the first batch, and WikiLeaks promises there are more coming. Even going through the Apple-centric ones, the inescapable conclusion remains that while developing the Center for Cyber Intelligence in a less than transparent fashion, the CIA is fulfilling its role in the strange relationship that law enforcement has with Silicon Valley.

It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier. As emphasized by testimony before the Senate Investigative Committee regarding the encryption debate in 2016, it is law enforcement's responsibility to build its own tool library for conducting investigations — and this library is exactly what the "Vault 7" initiative planned.

Apple has since revealed that it has patched most of the CIA's exploits in iOS 10.

Whether or not the CIA violated an Obama-era prohibition on stock-piling so-called "zero-day" exploits is worth mentioning, but mostly irrelevant to users. For better or worse, the agency decided that keeping the exploits to themselves and using them as need-be would be "safer" for the American public.

They may be right. There is more "low-hanging fruit" for the criminal element to utilize. The CIA's exploits for more modern devices up through the end of 2015 require physical access to a device. The less global-scale criminal activities rely on significantly simpler and less costly to implement Java or Flash "drive-by" exploits to steal credentials, or execute the new "ransomware"-styled attacks requiring a BitCoin payment for a delivered encryption key.

The libraries are public — so now what?

The CIA's mandate is to gather information on international persons of interest, primarily through human-gathered intelligence. The library dump is not contrary to that goal, advances the CIA's purpose — and most importantly there is no evidence that the agency used the tools illicitly against the U.S. public.

Regardless of the libraries going public, most AppleInsider readers don't need to worry about the libraries, other than from a idealogical or political standpoint. Bar none, the CIA attacks are targeted, with nearly all of the "modern" ones for Apple equipment requiring physical access to equipment and a great deal of effort and sometimes physical danger, to implement.

The larger danger is the fact that the exploit library is public, with some vectors of attack more well-known now. This doesn't make the attacks any easier to deploy, but it does widen the potential pool of people willing to use them.

None of the exploits are mass-deployable, or pose any significant mass-surveillance threat. It remains far easier in most cases for the CIA or other intelligence gathering or law enforcement agencies to collect location and call data for iPhone users from wireless carriers, and perform some old-school legwork to suss out information about a target.