social network

“Dark matter”: that she found Wikileaks in the secret documents of the CIA about hacking iPhones and MacBooks

The special service had access to personal data and could physically infect the device, the documents say.

TechCrunch Photos
TechCrunch Photos

On March 23, Wikileaks published a new portion of secret documents that contained information about the CIA’s hacking tools within the framework of Vault 7. The published papers indicate that the agency has developed a way of hacking iPhones and learned to infect MacBooks without a trace.

The documents of the Dark Matter program are detailed instructions on how to use each specific instrument, but most of them were tested by the CIA seven years ago.

Sonic Screwdriver

One of the tools to infect macbukov was called “Sonic Screwdriver” and infected the device via USB or Thunderbolt ports with physical access to the laptop. The document says that the virus was written to the Thunderbolt-Ethernet adapter: it was enough to insert it into the connector and turn on the device.

In this case, you could infect the adapter either in advance or on site, using a special image that the CIA recommends to burn to a USB or CD-ROM drive. Re-flashing the flash memory of the accessory did not carry a direct threat, however the modified software reproduced the specified code, including malicious code. The vulnerability worked on the whole model line of Macbook 2011-12.

Documents for the Sonic Screwdriver are dated 2012, and for the first time a vulnerability was discovered publicly in 2015 at the Black Hat hacker conference. In the same year, Apple officially closed this loophole.


Two other programs – Triton and DerStarke – are designed for autonomous work.

Triton could access all the files on the user’s computer and send them to the CIA. The developers took care of the protection: the tool was removed from the device unnoticed by the user. Triton worked in two modes – automatic and with one-time tasks.

In the “spy” mode, the program silently collected data and periodically signaled its actions to the operator. “Immediate” tasks Triton could perform only once, for example, download files from the specified folder or put something there. After enabling, the script with the task was completely removed from the folder with the exploit.


DerStarke is a more sophisticated version of Triton, which could not be found on disk even in hidden partitions. The virus was introduced into the UEFI-interface of the system (its main function was the correct loading of laptops) and remained active even after a complete reinstallation of the system.

Triton’s main goal was to manipulate users’ files. But, unlike its predecessor, DerStarke was even better disguised: it mimicked the work of the browser, so the programs for viewing the outgoing traffic did not show abnormal activity. This vulnerability has been affected by all MacBooks from 2010 to 2013 release, running on OS X 10.7, 10.8 and 10.9.


The CIA also used DarkSeaSkies, but found the program obsolete and refused to operate in favor of Triton and DerStarke.

DarkSeaSkies included three instruments – DarkMatter, SeaPea and NightSkies. Each of them was responsible for its attack area: DarkMatter – for installing two other programs, SeaPea hid all files and virus activity from the user, and NightSkies provided remote control of the laptop for CIA employees and allowed to access files on the computer. The whole complex of DarkSeaSkies worked only on Mac OS X 10.5.

In addition, NightSkies version 1.2 CIA was able to adapt for breaking the first models of iPhones. The vulnerability worked only on the iPhone 3G, and was exploited at a time when iOS itself did not yet exist, and there was no application store in the iPhone OS.

The CIA created a firmware version of the device, which with the help of malicious code made it possible to access the SMS, contact book and call log. In the event that the employees of the department needed to update the firmware, they could do it remotely and even install new tools. To use the vulnerability, the agent had to connect the iPhone to the computer and manually download the unofficial version of the system.

As noted editor of TechCrunch Romain Paul Dillett (Romain Dillet), is now exploiting a loophole would be impossible, since Apple does not install the old version of the system even through iTunes with a special image. Before installation, all firmware are tested on the company’s servers.


Apple representatives initially refused to comment on the situation, but the day after the publication of Wikileaks announced the closure of vulnerabilities.

We conducted a preliminary investigation based on the documents of Wikileaks. Based on our internal analysis, we can state that the potential vulnerability of the iPhone concerned only the version of 3G and was eliminated in 2009 with the release of the iPhone 3GS.

In addition, preliminary studies show that all the vulnerabilities mentioned in the documents in MacBooks released after 2013 were previously corrected.

We did not exchange any information with Wikileaks. We were ready to provide them with any information according to our standard rules. We also did not receive information from this organization outside the public domain.

We tirelessly protect the security and privacy of our users, but we do not justify theft (documents) or work with those who threaten our users.

Apple Press Service

The full text of the promulgated documents can be found in the section on the WikiLeaks website.

On March 7, WikiLeaks published the first part of the archive of the CIA Cyber ​​Intelligence Center from 8761 documents and files. They found references to software for tracking users of iPhones, Android-smartphones and Smart TV. After the leak, the intelligence service arranged an audit among the contractors who developed software for it, and suspected a group of programmers of the transfer of classified information.

Back to top button