This article is more than 1 year old

Amazing new WikiLeaks CIA bombshell: Agents can install software on Apple Macs, iPhones right in front of them

And in 2009 – just 8 years ago

Startling leaked documents show the CIA could purchase Apple Macs and iPhones, install spyware onto them, and give them to targets.

The secret files, dumped online today, are the latest documents from WikiLeaks' Vault 7 series of classified CIA hacking tools and manuals. The files, dated 2008 to 2013, describe malware that could be smuggled onto Apple-designed computers and smartphones before they are handed over to specific targets.

The spying toolkit was made up of various components. One of them is NightSkies, a "beacon" for iPhones that was available shortly after the first generation of Apple's landmark smartphones went on sale. By periodically pinging a beacon signal to a listening-post system on the internet, the software let agents track an infected handheld.

The CIA wanted to port NightSkies to Apple MacBook Air laptops, calling the resulting software DarkSeaSkies, according to the leaked files. This port would include the NightSkies beacon emitter as well as a tool called DarkMatter to install the malware in the machine's EFI firmware, plus SeaPea to hide its processes and network and file system activities from sight.

DarkSeaSkies would also feature a backdoor so the computer can be remotely controlled, and the ability to download files and run executables. If the malware loses contact with its listening post, it should delete itself. The tool would be installed by agents on a MacBook Air before being shipped to a target.

Crucially, the CIA documents state agents had "the opportunity to gift a MacBook Air to a target that will be implanted with this tool." In other words, operatives were in a position to give an Apple laptop to someone in the field as a present – perhaps a wedding gift or as a bribe – and wanted to bug the computer to keep tabs on that person. That means the agents wanted to buy the equipment, infect it, and then pass it to the target as a freebie.

This is in contrast to the spin WikiLeaks has put on the manuals. The Julian Assange-led organization is trying to characterize the files as evidence the CIA infiltrated factories and delivery companies to infect machines and handhelds. We're told that, rather than simply handing over kit as gifts, spies snuck into, or compromised, assembly lines and warehouses, which would be way more risky.

"While CIA assets are sometimes used to physically infect systems in the custody of a target, it is likely that many CIA physical access attacks have infected the targeted organization's supply chain, including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise," WikiLeaks said in a statement today.

Yes, of course, it's possible the agency can get its spyware onto devices by slipping operatives into supply chains – just like the NSA does – but none of today's documents show that. It's just internal user guides and wish-lists for surveillance software that you have to install by hand, on a machine physically in front of you. It's not even clear if any of the described techniques work against Apple's latest products and software.


Assange was due to answer questions on his team's latest leak in a live-streamed press conference on Thursday afternoon, but it was repeatedly delayed for unspecified reasons. Perhaps Jules realized he needed more evidence before besmirching the good name of America's hardest-working LSD-bothering murder-spies. We asked WikiLeaks to help us understand its thinking: it did not reply.

Next in the dump, there's Sonic Screwdriver – a Doctor Who reference suggesting the design may have come from the UK's GCHQ spy nerds – that is stored in an Apple Thunderbolt-to-Ethernet adapter. When plugged into a powered-down Mac laptop's Thunderbolt port, on booting up the machine, Sonic Screwdriver bypasses the Mac's firmware password, if set, allowing the CIA operative sitting in front of the computer to begin installing surveillance malware onto the system.

This sounds like a useful gizmo to have if you're a rogue worker within the supply chain: when no one's looking, find the machine destined for a target, take it somewhere private, stick in the adapter, install the malware, slip it into its packaging, and send it off. And somehow do all that and not get caught or make it obvious the hardware has been tampered with.

Think about it: why go to all that bother when you can send someone an infected birthday present? Why would a factory-fresh device have a firmware password set on it, which is the whole point of Sonic Screwdriver – to defeat firmware-level protection. Sonic Screwdriver is cleared aimed at molesting seized machines, or during black bag operations, or during an airport security search, and not at interfering with factory-fresh products in transit.

Finally, the files described OS X 10.7 and 10.8 snoop-ware dubbed Triton, and its infector Dark Mallet, plus an EFI firmware updater called DerStarke. Apparently, DerStarke 2.0 was in use by the agency as late as last year.

In summary: curious spykit, yes. Evidence of supply chain meddling, no. D-, must try harder. ®

More about


Send us news

Other stories you might like