Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Latest leaked CIA hack focuses on Apple's macOS, utilizes patched Thunderbolt EFI exploit

A second batch of CIA "Vault 7" documents published by WikiLeaks reveals some penetration methods for Mac hardware in-use by the CIA, none of which are wide-reaching, requiring physical device access to implement.

Thursday's dump, significantly smaller than the first, is Apple-oriented and covers some macOS vulnerabilities and attack vectors utilizing attacks on the EFI routines that control the boot process. "DarkSeaSkies" is aimed at the MacBook Air, and introduces an EFI injection called "DarkMatter" that will subsequently install a "SeaPea" kernel attack, and a "NightSkies" malware and keylogging pacakge.

The DarkSeaSkies package is delivered by a "Sonic Screwdriver" — either a USB flash drive or modified Thunderbolt to Ethernet adapter leveraging a Thunderbolt exploit that was first discovered in 2014, and patched in 2015.

An offshoot of "NightSkies" is also available for the iPhone dating back to 2008, and could be installed by "interdicting mail orders and other shipments" according to WikiLeaks — but is still not a remote attack.

Other documents from Thursday's release include the possibility of the "DerStarke" package used to attempt to break in to OS X Mavericks still under development, at least through part of 2016. It also addresses EFI compromise, but still appears less developed than the particular to MacBook Air "SeaPea" vector.

While WikiLeaks notes that the EFI exploits persist after a reboot, what they actually do is reinstall themselves after reboot if not mitigated. An Apple firmware update appears to purge the exploit permanently, until re-infected by someone with physical access to the machine.

The CIA's Center for Cyber Intelligence (CCI) responsible for the leaked computer intrusion methods purportedly has over 5000 members. The group has allegedly targeted more than 10,000 individuals world-wide, spanning iOS, Windows, and Android devices including smart televisions.

The previous reveal on March 7 spanned 8,761 files, and contained 14 iOS exploit and penetration methods. The latest dump is notable for being so specifically targeted at Apple hardware — a targeted release made by WikiLeaks for reasons only known to themselves.

However, as with the last WikiLeaks reveal, most AppleInsider readers aren't impacted. All of the leaked CIA attacks continue to not be a wide-spread net, with nearly all of the published exploits demanding physical access to equipment and time to install.



10 Comments

lkrupp 19 Years · 10521 comments

Bottom line? Apple’s platform is still vastly more secure than the competition (Windows and Android). Apple is getting all the press about this simply because it’s Apple. Nonetheless, it is now perfectly clear that no platform is entirely secure. So what to do? Take common sense precautions and subscribe to the ‘school of fish’ approach. Think about how or even if you personally would be targeted by state actors. Education about passwords and password vaults is essential. Using 1Password EVERY online account I have has a different password. So if the bad guys steal my password from The Home Depot all I have to do is change that ONE password. I use two factor authentication wherever possible like Social Security, Amazon, Apple. Don’t allow the online account to save your credit card number. Alas the convenience factor will prevent a lot of people from using common sense.

longpath 20 Years · 401 comments

The vulnerability of Intel's EFI, USB, and Thunderbolt firmware specs was known; but actual functional exploits, as opposed to proof of concept demonstrations, were not. Hopefully, this will be adequate impetus for Intel to resolve these issues in their underlying technology specifications.

JessiReturns 8 Years · 68 comments

Since android is basically wide open, the CIA didn't need to make any special programs to develop exploits against Android, etc.   Apple is pretty secure, so they had to work hard.  Nice to see that most of these exploits require physical access.

Morthwyl 7 Years · 1 comment

Apple products are by far more secure than those offered by any other vendor. I'm considering writing and releasing an unbreakable one-time cipher solution and training material on how to operate a secure computing environment. My platform of choice? OS X. Why? Even though I've been developing applications on Windows since the 1990s, the Apple products offer the most secure environment upon which to build. My background includes setting up and managing an approved Sensitive Compartmented Information Facility (SCIF) and development of classified software for many years. I understand the vulnerabilities which must be protected against, the strengths and weaknesses of the tools and technologies available, and how to prevent data exfiltrated, whether by external attacks or insiders.

factnotfeelings 7 Years · 3 comments

This article is not completely truthful. These can indeed be installed remotely, and there is no "purge" of the exploit. It's not even detectable and is basically part of the computer from now on.