Wikileaks documents show CIA's Mac and iPhone compromises

For years, the agency has known of implants for iPhones and low-level rootkits for Macbooks

The U.S. CIA has had tools to infect Apple Mac computers by connecting malicious Thunderbolt Ethernet adapters to them since 2012, according to new documents purported to be from the agency and published by WikiLeaks.

One of the documents, dated Nov. 29, 2012, is a manual from the CIA's Information Operations Center on the use of a technology codenamed Sonic Screwdriver. It is described as "a mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting."

Sonic Screwdriver allows the CIA to modify the firmware of an Apple Thunderbolt-to-Ethernet adapter so that it forces a Macbook to boot from an USB stick or DVD disc even when its boot options are password protected.

For example, Sonic Screwdriver can be used to boot into a Linux live CD so that the Macbook's partitions and data can be accessed from outside macOS, the manual says.

More importantly, an adapter modified by Sonic Screwdriver can be used to execute Der Starke, a fileless macOS malware program that has a persistence component installed in the computer's EFI (Extensible Firmware Interface).

The EFI or UEFI is the low-level firmware that initiates and configures the computer's hardware components before starting the actual operating system. It is the modern equivalent of the BIOS.

An EFI implant, or rootkit, can inject malicious code inside the operating system's kernel during the boot process and will survive even if the OS is fully reinstalled or the hard disk drive is changed.

Der Starke is described in another CIA document that was leaked Thursday as "a diskless, EFI-persistent version of Triton," which is "an automated implant for Mac OS X" -- spying malware that can steal data and send it to a remote server.

An older implant, and possibly Der Starke's precursor, is described in a document from 2009 for Macbook Air computers under the codename DarkSeaSkies. It too has an EFI persistence module and includes a user-space module codenamed Nightskies.

What's interesting about Nightskies is that it was ported to the Macbook Air from a version for iPhones. According to WikiLeaks, the iPhone version of Nightskies is designed to be physically installed onto factory fresh phones.

This suggests that the CIA is compromising the supply chain and is potentially intercepting and infecting electronic device shipments before they reach the final buyer. Documents leaked by Edward Snowden in 2013 suggested that the U.S. National Security Intelligence Agency engages in similar practices.

The ability to install rootkits inside the EFI of Mac computers is not new. Australian security researcher Loukas K, better known in the security community as Snare, presented a proof-of-concept EFI rootkit for Macs at the Black Hat security conference in 2012. Snare has since been hired by Apple.

In 2014, another security researcher named Trammell Hudson developed a way to infect the EFI of Mac computers through malicious Thunderbolt devices. Apple fixed some of the vulnerabilities that made that attack possible, but the following year Hudson created another version of the exploit, dubbed Thunderstrike 2, together with researchers Xeno Kovah and Corey Kallenberg.

Apple again fixed some of the vulnerabilities that made Thunderstrike 2 possible, and a few months later the company hired Kovah and Kallenberg.

Giving that Apple now has at least three security researchers who specialize in EFI attacks and that the company has hardened its firmware against such exploits significantly since 2012, it's possible that the CIA's Der Starke's implant doesn't work on the company's latest devices.

Apple did not immediately respond to a request for comment.

The ability to bypass EFI password protection and boot from a peripheral device's Option ROM has also been known since 2012 and was actually mentioned in Snare's Black Hat presentation. This method, which is used by the CIA's Sonic Screwdriver Thunderbolt adapter was finally blocked by Apple in macOS Sierra 10.12.2, released in December.

After WikiLeaks released the first batch of CIA documents earlier this month, Intel Security released a tool that can help computer administrators verify if the EFI/UEFI has any malicious code.

During a press conference Thursday, WikiLeaks founder Julian Assange said that newly released documents are just a small part of the cache of CIA documents that his organization has but has not yet published.

WikiLeaks previously promised to share unpublished information about CIA exploits and vulnerabilities with technology companies with affected products. The organization then asked vendors to agree to certain terms before it discloses the information.

Assange clarified Thursday that those terms don't involve money or anything like that, but rather a commitment from vendors that they will patch any flaws disclosed to them within an industry standard time period of 90 days -- with a possible extension for hard-to-fix vulnerabilities.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?