New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs
Ars Technica 2017-03-24
Enlarge / One of these things is a CIA implant dropper. (credit: From an original image by Scott Ackerman)
WikiLeaks today dumped a smaller subset of documents from its "Vault 7" collection of files from a CIA software developer server. Yet again, these documents are more important from the perspective of WikiLeaks having them than for showing any revelatory content. The exploits detailed in these new files are for vulnerabilities that have largely been independently discovered and patched in the past. The files also reveal that the CIA likely built one of these tools after seeing a presentation on the exploits of Apple's EFI boot firmware at Black Hat in 2012.
The latest batch of files, dramatically named "DarkMatter" (after one of the tools described in the dump), consists of user manuals and other documentation for exploits targeting Apple MacBooks—including malware that leveraged a vulnerability in Apple's Thunderbolt interface uncovered by a researcher two years ago. Named "Sonic Screwdriver" after the ever-useful tool carried by the fictional Doctor of Dr. Who, the malware was stored on an ordinary Thunderbolt Ethernet adapter. It exploited the Thunderbolt interface to allow anyone with physical access to a MacBook to bypass password protection on firmware and install one of a series of Apple-specific CIA "implants."
The first (and only documented) version of Sonic Screwdriver was released in 2012. It worked only on MacBooks built between late 2011 and mid-2012, and the tool used a vulnerability in the firmware of those computers that allowed commands to be sent via the Thunderbolt adapter to change the "boot path" (the location of the files used to boot the computer). The change would allow a local attacker to boot the targeted MacBook from an external device to install malware that eavesdropped on the computer during normal use. Those implants included "DarkMatter," the predecessor to "QuarkMatter." (QuarkMatter is malware that was revealed in the previous WikiLeaks dump, and it infected the EFI partition of a MacBook's storage device.)