‘CIA used network dongle with modified firmware to penetrate Macs’
WikiLeaks has released new Vault 7 documents detailing the CIA’s hacking capabilities. It states that the service used a Thunderbolt-to-Ethernet dongle with modified firmware to provide Apple computers with spy tools.
Dubbed Vault 7 “Dark Matter,” WikiLeaks has released 12 new documents, following the thousands of files posted online earlier this month. The files, most of which are from 2008 and 2009, describe methods used by the CIA to penetrate Apple equipment. A few documents from 2012 and 2013 are about a project called Sonic Screwdriver.
According to the documents, Sonic Screwdriver was created to run code through external devices on MacBooks and Apple computers. To do this, the CIA used an Apple Thunderbolt-to-Ethernet dongle with modified firmware to bypass the firmware password during boot. That password is used to prevent code execution from a device that is not designated as the boot disk.
If the infected network adapter is connected to the thunderbolt connector on the MacBook or Apple computer, it will search for a device with the volume name “FILER” during boot. This can be, for example, a USB stick, external HDD or CD/DVD drive. From that external device, further tools can be accessed that the CIA uses for espionage or extracting data from the device.
One of those so-called implant tools is Der Starke. This allows for covert network communication and offers persistence functionality: even if the OS X firmware gets an update, the implant can be re-injected.
According to the CIA document, the Sonic Screwdriver tool could be used on any Apple computer with a thunderbolt connection. Intelligence has tested Sonic Screwdriver with different versions of the 2011 and 2012 MacBook Air and MacBook Pro.
Motherboard reports that security researcher Pedro Vilaca suspects that Sonic Screwdriver is exploiting the same vulnerability in thunderbolt that researcher Trammel Hudson demonstrated in late 2014 and called Thunderstrike. Apple has fixed that vulnerability. However, WikiLeaks states that the intelligence service is constantly working on updates to its tools.
To deploy the hacking tool, the intelligence agency had to have physical access to Mac equipment. However, WikiLeaks also believes that the CIA intercepts products during shipment so that they can be provided with rogue tools. The organization deduces this from documentation about another implant tool, NightSkies 1.2, which, according to the CIA, can be put on factory fresh iPhones. That documentation is from 2008.