Science

How the CIA Hacks Into Your Apple Devices

Getty Images / Jeff Spicer

Wikileaks latest Vault 7 release on Thursday made one terrifying fact clear: the CIA can hack into pretty much anyone’s phone, and there’s almost nothing its targets can do to stop it.

The new release, named “Dark Matter” details several attacks on Apple products, most of which seek to directly exploit various device’s firmware — the permanent, manufacturer-installed software that runs a device’s core functions. The CIA’s methods seem broadly similar to the NSA technologies revealed by Der Spiegel in 2013, a veritable smorgasbord of fancy spy equipment that all serves one purpose: to put malicious code onto a device. Here’s how the CIA manages to do it.

Physical Control

Most of the CIA’s exploits seem to revolve around one thing: physical access to a device. The easiest way to do that, according to the CIA, is to get to a brand new device before the user actually receives it themselves.

Wikileaks claims that the CIA is “infecting the iPhone supply chain of its targets,” which could include NSA-style “interdiction” of devices in the mail. That’s a jargony way of saying, basically, that CIA agents can just steal an iPhone, ordered on the internet, out of the mail while it’s being delivered. The agents would then take this “factory fresh” device, load malicious software onboard, and send it along to the intended recipient. The target would get their iPhone, boxed up all neat and pristine, already infected with government spy software.

Types of attack

Attacks like DerStarke, DarkSeaSkies, and NightSkies all attack Apple firmware, but each is specialized to its own particular devices and versions, and has its own special abilities. The most fundamental sorts of techs are the ones that implant malware packages into a device, which can then be used to monitor what that device does — everything from its location to the user’s web browsing history. For example, the Sonic Screwdriver program functions a bit like its Doctor Who namesake, magically granting access to a device via a Thunderbolt or USB port on Mac laptops. The program’s code can actually be stored on a Thunderbolt to ethernet cable adaptor, a simple dongle that people wouldn’t usually think of as storing data. By booting the device with Sonic Screwdriver inserted, the attacker can circumvent Apple’s firmware passwords and install whatever they like, essentially granting a CIA hacker the same access to the device that Apple itself has.

What that means

These sub-firmware installations can achieve “persistence,” a term the CIA’s programmers use to mean that they stay on the device when you update the firmware (like any iOS update), and even when you completely wipe the operating system. One leaked document has instructions for how to deploy the NightSkies program from way back in 2008, when the CIA was briefing its agents on how to properly crack an iPhone 3G. It may seem dated, but Wikileaks has made it clear that it will soon release newer versions of many of these attacks.

You probably can't find these instructions on the Apple website, but it's not exactly hard. 

Wikileaks

Newer attacks, presumably, will take longer for manufacturers to fix, meaning Wikileaks will have to hold back on its most relevant releases if it wants to avoid breaking its promise not to undermine national security.

More worryingly, though, “compromising supply chains” could refer to indiscriminate mass infections of iPhones via production facilities. That might sound useless, given that most of the people infected would be totally irrelevant for intelligence purposes, but consider the NightSkies implant: “Beacons” like that one can send a signal out to its controllers when certain conditions have been met. Based on what we know about NSA beacons, they could be distributed widely (such as, say, infecting every iPhone going to a certain store in a city) and coded only to alert the CIA when they find that their host device is owned by a particular target, or by any owner whose behavior meets certain conditions.

Perhaps the most salacious revelation of the Vault 7 releases thus far is that the CIA has had the ability to hack iPhones starting from a year after their initial release — way back in 2008, before emojis and iMessage made the devices ubiquitous in pop culture. Still, Android users shouldn’t get too smug — if the CIA was able to do this to a closed system like the iPhone, possible that Google’s manufacturer-muddled alternative has fared far worse.