iPhone users security and privacy is called into question this week.
First, a new batch of celebrity nudes have started to show up online in what appears to be another iCloud account breach. Then hackers ransomed millions of iCloud user accounts. Now, new leaks show some very frightening vulnerabilities. Apple’s response, does little to assuage fears.
A new batch of WikiLeaks Vault 7 leaks, shows a whole set of iPhone and Mac hacks. This batch, titled “Dark Matter” details several hacks which are used against the iPhone. It speaks of persistent attacks which even reinstalling the OS will not fix. It also speaks about how an attack has been in use since 2008 and how “factory fresh” devices were having this spyware installed.
The WikiLeaks press release:
23 March, 2017
Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.
Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.
“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.
Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.
Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.
While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.
Apple’s responses are not very inspiring.
Speaking to the iCloud accounts ransomed, Apple states that their systems were not breached.
“If the list is legitimate, it was not obtained through any hack of Apple,” stated an Apple spokesman, “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID.”
This response is no surprise. This is very much like the original response to the original leak of celebrity nudes dubbed “The Fappening”, at which time Apple stated their security worked as it was expected to. I have a problem with this type of response. First, it is very likely that Apple is correct, and that user ID’s were not taken from Apple. It’s far more likely that these 300 million or so users have had their username and passwords found out thanks to numerous other large scale hacks. We all know user that use the same passwords across various accounts, and we also know of some fairly large hacks of other services (like Yahoo) which were recently made public. My problem is that Apple seems to show very little concern over this issue other than giving a “not my fault” response. Apple should be proactive in this instance, not merely responding to media requests, but actively informing users to reset their information, or even forcing all users to update their passwords.
As to the WikiLeaks news? Apple released the following statement.
We have preliminarily assessed the Wikileaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.
We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.
Essentially the same response to the last WikiLeaks dump which also stated that the vulnerabilities had already been fixed. Anyone with basic reading skills would be able to tell that WikiLeaks release and Apple’s statement seem to be speaking of very different things. Apple is saying the iPhone vulnerabilities were fixed in 2009 and the Mac fixed in 2013? I’d like to know why the CIA would continue to update these systems continually into 2016 if only pre-2009 phones and pre-2013 Macs would be affected.
It doesn’t really make much sense does it? It really comes down to who do you believe? Who do you trust? Luckily, as a BlackBerry user, I don’t really have to believe or trust Apple or WikiLeaks. And I don’t. I trust BlackBerry, who has always placed security first. BlackBerry, who has not been responsible for the loss of a multitude of private celebrity photos. BlackBerry, who has not had millions of customer’s files at risk of deletion in a ransom threat. BlackBerry, who values my privacy as much as I do.