By: Walker Rowe, March 28, 2017 (09:08 AM)

WikiLeaks Releases Dark Matter, the Second Batch of CIA Documents

Wikileaks Vault 7 CIA Espionage Tools

On March 23rd, Wikileaks released Dark Matter. As promised this is the second batch of leaked CIA documents. The focus here are iOS and Mac OS X exploits. But what is still not there is the source code. As we previously reported, WikiLeaks has not released that yet, except snippets, as they are working with the software and hardware vendors to give them a chance to patch these zero-day defects before putting all of that on the internet.

The CIA publication this time are user manuals and a test plan for a handful of exploits. Some of the manuals are quite old, dating from 2008 and 2012. But others are as recent as 2016 suggesting that some of this (Who knows how much?) works against newer iPhone and Mac devices. But given that the Apple devices are so expensive, there are plenty of older devices still in use that the CIA can target.

Here we look in brief at a couple of exploits. In total there are user guides online for 4 CIA spywares including one for attacking the Broadcom NetXtreme Ethernet Adapter. The CIA uses a Broadcom utility to implant the Thunderbolt-to-Ethernet spyware that we discuss below. There are no programmer-level, SDK-like technical references with details of how any of these work.


Most Macbooks have a LAN cable connection, except for the ultraslim ones. There the LAN cable plug is too wide. To attach those slim machines to a LAN connection Apple sells the Thunderbolt-to-Ethernet cable which plugs into the mini USB port. People might want this too if they want 1GBPS speed, which a wireless adapter will not support unless they use the AirPort Time Capsule.

Apple has found a way to update the firmware on MacBooks by infecting the Thunderbolt-to-Ethernet cable. They call this the Sonic Screwdriver. The CIA spy needs to have the MacBook in their possession to do this. So they intercept the MacBook enroute at Fedex or find some other way to get to it. The cable still works after installation. And if the device does not communicate with the CIA after a certain period of time the spyware erases itself.

WikiLeaks has the Screwdriver version 1 manual on their website. The document is dated 2012, which is newer than the NightSkies manual we mention below. The date of both documents and the versions of iOS and Mac OS X mentioned in both raises the question as to whether these hacks work with the newest devices and OS.

Sonic Screwdriver spies on the phone and allows remote code execution, meaning it lets the CIA install other spyware to turn the phone into a remote listening post or whatever.

Sonic Screwdriver updates the firmware on the Mac and then disables the factory reset option so that the victim cannot remove it. And since this is firmware and not the OS, an OS upgrade should not be able to block it. And as we said, while WikiLeaks has the manual, they do not have the source code online. So it’s not know whether Apple has found a way to defeat it. (Many PCs, for example, have a feature that checks whether the device’s firmware has been tampered with before they start. You have to disable that Secure Boot if you want to install, for example, Ubuntu. So evidently the CIA has figured out a way around that too.)


NightSkies lets the CIA execute commands on a compromised iPhone.

WikiLeaks finds itself in possession of the NightSkies user manual from 2008. This says one thing important and raises one important question. The CIA was able to hack the iPhone way back in 2008. But does their technique work today?

NightSkies, like the Thunderbolt-to-Ethernet attack, requires that the CIA spy have the iPhone in their possession to implant the spyware. That means somewhere in the supply chain the CIA has an asset. It is most likely someone who can intercept the mails. So the spy grabs the package, steams it open (Do they do that anymore?), and implants the spyware.

Like Thunderbolt-to-Ethernet, the device is hacked by attaching a USB cable to the device. The spy presses a key combination to make the phone think it requires a firmware update. iTunes kicks in and loads the compromise file that. Also the spy copies files from another computer onto the target computer via that cable.

The source code for the exploit is not on the WikiPedia site. So how it works exactly is not know. But there are plenty of details like what files are laid down where and what processes run.

The compromised device communicates with an Apache web server running PHP. It leaves the files there encrypted. Then a CIA analyst back at the CIA office downloads that and decrypts it. The CIA says that encryption is in case the LP (launch point) is compromised.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies