This story is over 5 years old.


WikiLeaks’ New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago

The new documents show how the CIA was ahead of the curve in attacking Apple computers.

Earlier this month, when WikiLeaks dumped a cache of hundreds of secret documents allegedly detailing the CIA's hacking operations, Julian Assange promised that was just "less than 1%" of what the secret-spilling had in its hands. On Thursday, WikiLeaks released a new cache of twelve documents, mostly detailing how the CIA allegedly hacked Apple computers and cellphones around a decade ago.

"These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release.


EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed.

The documents are mostly from last decade, except a couple that are dated 2012 and 2013.

While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years.

Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."

"It looks like CIA is very interested in Mac/iOS targets, which makes sense since high value targets like to use [those]," Vilaca told me. "Also interesting the lag between their tools and public research. Of course there's always unpublished research but cool to see them ahead."

Read more: WikiLeaks Won't Tell Tech Companies How to Patch CIA Zero-Days Until Its Demands Are Met

One example where the CIA appears to have anticipated what independent security researchers later found out is what the agency calls "Sonic Screwdriver," a technique to infect Macs with malware stored in an Apple Thunderbolt-to-Ethernet adapter, according to one leaked document.

Sonic Screwdriver, according to Vilaca, appears to be the same attack that Trammel Hudson later showcased in late 2014 and dubbed Thunderstrike.


While the two techniques look similar, the CIA's one appears to have different capabilities, and might have also been inspired by a talk at the Black Hat security conference in 2012, by a researcher known as Snare.

Sonic Screwdriver allowed the CIA to install its tools on a Mac even if the firmware password was enabled, while Thunderstrike allowed an adapter to overwrite the motherboard boot flash, which provided a more persistent intrusion.

Another document dated 2008 alleges that the CIA had developed a malicious implant for the iPhone that could be "physically installed onto factory fresh iPhones," according to WikiLeaks.

"[NightSkies] is installed via physical access to the device and will wait for user activity before beaconing," the document reads.

This suggest that just like the NSA, the CIA at some point might have been able to intercept iPhones and compromise them before they reached the target.

The CIA declined to comment.

Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.