Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

WikiLeaks documents show CIA struggling to crack Apple gear, little danger to everyday folk

Last updated

While the revelations that the CIA has its own device penetration department, including a section for Apple equipment, a closer look at the revealed data shows an agency struggling with the realities of modern surveillance, and a increasingly sophisticated investigation target base.

Any penetration requires four major factors to be effective — a vector of attack, a deployable payload compromising the system, invisibility, and exfiltration of gathered data. Failure of any of the four makes the effort pointless.

Initial review of documentation revealed in the WikiLeaks publication of the "Vault 7" program documents shows a CIA having problems with combining all four factors on the newest Apple gear and software at the same time.

14 iOS exploits, codenamed: WildTurkey, McNugget, et al

Under an assortment of code names, the CIA developed or purchased many exploits, running all the way to iOS 9.2 in the end of 2015 — but the agency's own data reveals the ephemeral nature of the vectors.

Many are eradicated by a full reboot of the device. Others are purged by a restore.

It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier.

While some are remote, they still need to be specially crafted. The target needs to be convinced to visit a compromised page, or the exploit needs to be installed in a trusted page somehow.

Older devices and devices running early versions of iOS remain exploitable. However, older devices stuck on iOS 5 or the latest batch left behind with iOS 9 will not likely see security patches.

AirPort — project Harpy Eagle

The AirPort exploit effort remains relevant, despite the relative age of the leak. Apple's networking hardware hasn't been altered at all since the penetration efforts began, with only three firmware updates in nearly two years.

The Harpy Eagle documents show an extensive decompilation effort of Apple's code in order to "install a persistent rootkit into the flash storage" of the AirPort, as well as a close examination of the AirPort Utility on then OS X. Assuming the documents are relatively complete, the effort doesn't appear complete, with no fully functional or reliable exploits allowing the CIA to insert itself in a target's network through AirPort router hardware.

The effort appears partially stymied by not just Apple's security through firmware 7.7.3, but the custom codebase developed for the router — the same thing that has historically prevented the gear from compromise through a variety of other exploits that have plagued router manufacturers recently.

Given that the data dump is primarily from the tail-end of 2015, progress has likely been made — but Apple has released three updates in the same time frame. However, as demonstrated with exploits on other platforms, a new version of the AirPort firmware sets the agency back.

OS X Mavericks — project DerStarke

The documents about penetrating the then-new Mavericks is perhaps the most telling of the batch. The worklog detailing DerStarke discusses EFI bootloader compromise, as well as a way to "inject into" popular Internet traffic monitoring utility Little Snitch to prevent the target from spotting data transfer.

Once again, the documents express the difficulty of adjusting to a "moving target" after Apple's hardware and software updates.

It appears that the OS X/macOS tools are more advanced than those for iOS — which makes sense, as the underpinning of OS X has been around since the turn of the century and OS X is far more open than iOS is.

Sensational, but of little actual impact

AppleInsider has yet to plow through all of the nearly 9000 multi-page documents released in just the first batch, and WikiLeaks promises there are more coming. Even going through the Apple-centric ones, the inescapable conclusion remains that while developing the Center for Cyber Intelligence in a less than transparent fashion, the CIA is fulfilling its role in the strange relationship that law enforcement has with Silicon Valley.

It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier. As emphasized by testimony before the Senate Investigative Committee regarding the encryption debate in 2016, it is law enforcement's responsibility to build its own tool library for conducting investigations — and this library is exactly what the "Vault 7" initiative planned.

Apple has since revealed that it has patched most of the CIA's exploits in iOS 10.

Whether or not the CIA violated an Obama-era prohibition on stock-piling so-called "zero-day" exploits is worth mentioning, but mostly irrelevant to users. For better or worse, the agency decided that keeping the exploits to themselves and using them as need-be would be "safer" for the American public.

They may be right. There is more "low-hanging fruit" for the criminal element to utilize. The CIA's exploits for more modern devices up through the end of 2015 require physical access to a device. The less global-scale criminal activities rely on significantly simpler and less costly to implement Java or Flash "drive-by" exploits to steal credentials, or execute the new "ransomware"-styled attacks requiring a BitCoin payment for a delivered encryption key.

The libraries are public — so now what?

The CIA's mandate is to gather information on international persons of interest, primarily through human-gathered intelligence. The library dump is not contrary to that goal, advances the CIA's purpose — and most importantly there is no evidence that the agency used the tools illicitly against the U.S. public.

Regardless of the libraries going public, most AppleInsider readers don't need to worry about the libraries, other than from a idealogical or political standpoint. Bar none, the CIA attacks are targeted, with nearly all of the "modern" ones for Apple equipment requiring physical access to equipment and a great deal of effort and sometimes physical danger, to implement.

The larger danger is the fact that the exploit library is public, with some vectors of attack more well-known now. This doesn't make the attacks any easier to deploy, but it does widen the potential pool of people willing to use them.

None of the exploits are mass-deployable, or pose any significant mass-surveillance threat. It remains far easier in most cases for the CIA or other intelligence gathering or law enforcement agencies to collect location and call data for iPhone users from wireless carriers, and perform some old-school legwork to suss out information about a target.



44 Comments

maestro64 19 Years · 5029 comments

First. our government should not be spending so much money making the floors look so pretty, and putting big logos in the floor. Government workers should be working in spaces which were built by the lowest bidder with the cheapest available materials. The government is not a profit center so they should not be living like they make more money than the fortune 500 companies.

I would not count on the government not testing their exploits out on the general public, they have to do a proof of concept and prove they can hack into people systems. It not the fact they were listening and observing but what they did with the information. Then we have the FBI director come out and say American can not expect to have privacy in the modern age, the above article is why.

I am just glad Apple is on all of our sides at this point, and glad to hear Little Snitch may catch what our government is trying to do. I have use little snitch for many years and can not tell you how many apps do things you have no idea what they are doing. I have google total blocked from reporting home what I do.  

wood1208 10 Years · 2938 comments

We need to strengthen USA's intelligence safeguards and punish by death(him/her and their family) if anyone from inside leak any intelligence. Today, it may be silly inforamtion that CIA trying to create tools to hack IOS but tomorrow it can leak about the brave intelligence undersover agent's names which can put their life in harms-way, get killed.

jSnively 13 Years · 402 comments

This is an important topic and conversation about it from all sides is more than warranted. Just be respectful to each other and please keep things on topic. If it gets out of hand we will close the thread.

jungmark 13 Years · 6927 comments

"It is not Apple's, Google's or any other tech company's job to make penetrating their devices easier."

correct. Anyone that says otherwise is a fool. 

rotateleftbyte 12 Years · 1630 comments

Just the tip of the iceberg I'm afraid.
The more IoT stuff we put into our homes, the greater the attack vector the bad guys have to aim at.
Smart TV's, Light Bulbs, Fridges, Amazon and Google boxes used as voice assistants.... the list is growing and it is not only phones and computers.