CIA Infects “Factory Fresh” iPhones – WikiLeaks

Vault 7 revelations are back with WikiLeaks, and this time it seems that iPhones are the center of attention as documents reveal that CIA is infecting MacOS firmware and the “factory fresh” iPhones for years.

In the first time around we saw a bunch of documents regarding all types of the exploitations CIA can make effective use of, this time we’re focusing on iPhones and Macs.

For an instance, the “Dark Matter” documents discuss one project named “Sonic Screwdriver.” It was created by CIA’s Embedded Development Branch, Screwdriver is a mechanism to execute code on peripheral devices during a desktop or Mac laptop is booting.

An attacker can install malicious software on users device using a USB stick, even if the firmware password is required. The infecting agent for this particular tool is saved on modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

Another project is “DarkSeaSkies,” this is an implant which persists in the EFI firmware of an Apple MacBook Air computer, along with the Triton macOS malware, it has an infector “Dark Mallet” and its EFI-persistent version “DerStake.”

The documents in hands of the WikiLeaks include 2013 DesStake 1.4 manual, and other documents which show that, as of 2016, CIA continues to rely on and update these systems and is also working on a second DerStarke version.

Another one of the CIA’s tools targets iPhones. By using a “beacon/loader/implanter tool” called NightSkies, factory-fresh iPhones can become infested. WikiLeaks states that documents in its hold indicate NightSkies had reached version 1.2 by 2008 and was expressly designed to be physically installed onto fresh iPhones alone, which they claim shows the CIA had been infecting the iPhone supply chain ever since.

“While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise,” WikiLeaks writes.

Related posts

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

Kia Dealer Portal Vulnerability Risked Millions of Cars

Latest Octo Malware Variant Mimics Popular Apps Like NordVPN, Chrome