On Tuesday, Wikileaks published a selection of files and documents allegedly related to CIA hacking capabilities, including those that targeted certain versions of iOS, Apple's operating system for mobile devices.
According to the documents, the CIA allegedly, and unsurprisingly, has obtained a variety of exploits that affected different parts of iPhone software, such as the kernel—the heart of the operating system—others that broke through protections offered by the device's web browser, and methods for keeping malware on the target device. The latest version of iOS included in one spreadsheet goes up to iOS 9.2, which dates from 2015.
But Apple, for its part, says that many of the issues discussed in the dump have been patched in the latest iOS.
"Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system," an Apple spokesperson told Motherboard in an emailed statement. The latest version of iOS is 10.2.1.
"While our initial analysis indicates that many of the issues leaked were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities," the spokesperson added.
Wikileaks did not publicly distribute any actual exploits, but the documents give an indication of what some were allegedly designed for, how they were obtained, and what versions of iOS they supposedly worked on.
It's worth bearing in mind that a single exploit most likely does not result in a successful compromise of an iOS device: instead, attackers may need to string together exploits, moving from one part of the system to another
Those include Earth/Eve, a remote exploit that was purchased by the NSA, shared with the CIA, and also worked on by GCHQ, the UK's primary signals intelligence agency. GCHQ discovered a kernel exploit codenamed Nandao, according to the spreadsheet. The CIA allegedly uncovered several of its own too, including a bug that allowed the attacker persistence over the device, and its own kernel exploit.
As previously noted by Motherboard, the FBI's Remote Operations Unit—one of the Bureau's hacking divisions—is also mentioned. According to the spreadsheet, the Bureau discovered an iOS 7 bug. In all, the spreadsheet on iOS attacks names 14 exploits.
It's worth bearing in mind that a single exploit most likely does not result in a successful compromise of an iOS device: instead, attackers may need to string together exploits, moving from one part of the system to another, to take over the device. This exploit chain has become so valuable for later iOS devices, that surveillance companies have offered upwards of $1 million for a complete chain.
In one spreadsheet, the CIA allegedly lays out what exploits an attacker would need for different iOS versions. For some, the agency does not need to escape the target's internet browser in order to compromise the entire phone, and attacks can be delivered either remotely or locally.
Some of these exploits are referenced in a user guide for "MCNUGGET" included in the dump; a tool for non-persistent access to iOS 8.0-8.1.3 devices. Another user guide details "DRBOOM", a script for installing persistent malware on iOS 7-8.2 devices that the attacker has physical access to. It requires plugging the iPhone into a Mac running at least OS X Yosemite via USB.
When asked, Apple was unable to provide in time for publication more information about how it can be sure many of the issues described in the cache have been patched. But other bugs referenced in the documents were publicly discovered, including one by Chinese jailbreaking team Pangu, and iOS security researcher Stefan Esser. Only a handful of the bugs in the spreadsheet include dates they no longer worked.
Even though Apple says that the alleged CIA attacks have already been patched, that is not to say that the agency doesn't have the capability to target more recent iPhones. It is always a good idea to keep operating systems up to date, especially if updates contain security patches.
This post has been updated to clarify only a handful of the alleged bugs include so-called death dates.