If the CIA wants inside your Mac, it may not matter that you so carefully avoided those infected email attachments or maliciously crafted web sites designed to plant spyware on your machine. Based on new documents in WikiLeaks’ ongoing release of CIA hacking secrets, hackers at Langley could have infected the deepest, most hidden recesses of your laptop.
A new installment of leaks from WikiLeaks’ so-called Vault 7 cache of secret CIA documents published Thursday hints at the ultra-stealthy techniques the agency has used to spy on the laptops—and possibly smartphones—of Apple users when it can get physical access to those machines. The documents show how the CIA’s spyware infects corners of a computer’s code that antivirus scanners and even most forensic tools often miss entirely. Known as EFI, it’s firmware that loads the computer’s operating system, and exists outside of its hard-disk storage.
“The EFI is what orchestrates the entire boot sequence. If you change something before that, you’re controlling everything,” says Karsten Nohl, the founder of Security Research Labs and a well-known firmware hacker. “It becomes part of your computer. There’s no way of knowing that it’s there, and also hardly any way to get rid of it.”
Give Them the Boot
The CIA’s documents describe a series of tools that agents can use to install “implants” on target machines, capable of silently monitoring everything that occurs within its operating system and transmitting it to a remote operator. One manual explains how to modify the firmware of a standard Apple Thunderbolt-to-ethernet adapter, turning it into an spyware-planting tool the CIA calls “Sonic Screwdriver.” When plugged in, the altered adapter can trick a Mac into thinking it’s booting its operating from a spoofed network source that the adapter impersonates, allowing tweaks to its firmware even in the rare cases when the user has set a password for any changes to that deep-seated code.
‘There’s no way of knowing that it’s there, and also hardly any way to get rid of it.’ Karsten Nohl, Security Research Labs Founder
That firmware implant, which the CIA calls “DerStarke,” acts as a virtually undetectable loader for the actual payload, a malware tool called Triton, which lurks on the machine and relays information back to its controller hidden in streams of network data that imitate a web browser. Even if the computer’s hard disk gets completely wiped, Triton will be momentarily erased—but then reinstalled on the next boot from the infected firmware.
All of which, it’s important to note, would only work on older MacBooks, not more modern ones that have implemented a “secure boot” protection designed to prevent exactly this sort of firmware trickery. But WikiLeaks’ CIA documents appear to date back to 2013, suggesting the agency has had plenty of time to adjust to Apple’s security advances. In fact, WikiLeaks points to another DerStarke 2.0 document that it says is dated 2016.
“It would be foolish to think that the CIA has not updated their tools as much as possible for modern systems,” says Thomas Reed, a Mac-focused security researcher at antivirus firm MalwareBytes.
It’s also worth noting that the attacks require physical access to the computer’s USB and Thunderbolt ports. That means a victim would have to leave a computer unattended, or the CIA would have to intercept it mid-shipment, or potentially while a target is detained by police or held at a security checkpoint. For another piece of malware mentioned in the WikiLeaks release, one document makes reference to “the opportunity to gift a MacBook Air to a target that will be implanted with this tool.”
The documents focus almost entirely on Mac attacks, but also include a passing reference to an attempt as early as 2008 to create similar physical access for the iPhone. It notes, though, that the mobile attack “does not have stealth and persistence capabilities.” Apple didn’t immediately respond to a request for comment on CIA hacking revelations.
Mining Vault 7
The Mac-hacking documents represent the second WikiLeaks release this month from the secret-spilling group’s trove of CIA files. It follows an earlier release that included references to dozens of hacker exploits affecting smartphones, along with tools for compromising desktop machines and even Samsung Smart TVs.
As with most of the contents of that earlier release, the new Mac-focused documents don’t seem to demonstrate the CIA developing new “zero-day” exploits, but rather repurposing the findings of the public research community. MalwareBytes’ Reed points to two talks at public hacker conferences about Mac firmware hacking that seem to precede the CIA’s own work on undetectable Mac malware. “We should not be surprised at the fact that the CIA has such tools in their toolbox,” Reeds adds. “That would be the equivalent of being surprised that a police officer has a gun.”
That notion the CIA is simply doing its job, however, offers cold comfort to anyone concerned that well-resourced government hackers might seek to plant ultra-stealthy malware on their computer or smartphone. One takeaway, as always, is to avoid letting any sensitive computer leave your physical possession. And if that “ambassador” spontaneously offers you a new MacBook next Christmas, think twice about what you type into it.