WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago (vice.com)

← Back to Stories (view on slashdot.org)

WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago (vice.com)

Posted by msmash on Thursday March 23, 2017 @04:00AM from the security-woes dept.

WikiLeaks said on Thursday morning it will release new documents it claims are from the Central Intelligence Agency which show the CIA had the capability to bug iPhones and Macs even if their operating systems have been deleted and replaced. From a report on Motherboard: "These documents explain the techniques used by CIA to gain 'persistenc'' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release. EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed. The documents are mostly from last decade, except a couple that are dated 2012 and 2013. While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years. Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."

18 of 113 comments (clear)

Min score:

Reason:

Sort:

The more complex the easiest to hack by Anonymous Coward · 2017-03-23 04:05 · Score: 2, Funny

Nothing like good old BIOS and hardware jumpers
1. Re:The more complex the easiest to hack by Anonymous Coward · 2017-03-23 04:11 · Score: 2, Insightful
  
  Exactly the opposite. It used to be easy to hack your own computer. Now you need the resources of the CIA.
The management unit in all intel processors by goombah99 · 2017-03-23 04:17 · Score: 5, Interesting

It seems to me that having a chip, the management unit, in all intel processors that sits above even a hypervisor and can read all memory, have it's own connection to the network, runs java code, and is software reprogrammable, is basically the wet dream of root kits. it's invisible to anything you run on the CPU but sees all and tells all.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:The management unit in all intel processors by goombah99 · 2017-03-23 04:33 · Score: 4, Interesting
  
  for a little background on the management engine:
  http://hackaday.com/2016/11/28...
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
2. Re:The management unit in all intel processors by phantomfive · 2017-03-23 04:40 · Score: 2
  
  And it's been hacked, multiple times, actually.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:The management unit in all intel processors by Anonymous Coward · 2017-03-23 04:43 · Score: 2, Informative
  
  Let's not forget the fact that Intel (Israel) and NSA (US) have collaborated to bury far far more insidious things inside the many BILLIONS of transistors of the CPU itself... we're talking full backdoor encrypted magic packet access, interaction with Windows NSA_KEY, heuristic triggers, the works. BILLIONS of transistors folks, BILLIONS, all inside a TOP SECRET CLOSED SOURCE die and company... think about that for just a minute folks.
  Opensource software is MEANINGLESS when you can't trust the platform.
  DEMAND OPEN SOURCE HARDWARE and FABS.
And now maybe we'll know why ... by Ungrounded+Lightning · 2017-03-23 04:19 · Score: 5, Interesting

And now maybee we'll know why it's been so hard for Open Source developers to get information on writing their own against-the-metal drivers for telephony radios and startup modules (BIOS, EFI/UEFI, etc.)
It has long been suspected that was not just proprietary info-walling, but to reduce chances of discovery of backdoors and persistent threats imposed in the name of spying.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
1. Re:And now maybe we'll know why ... by Zero__Kelvin · 2017-03-23 07:23 · Score: 2
  
  You evidently didn't know the entire source for UEFI is available. I have git cloned it and built and used it successfully. Of course, that doesn't tell you about the UEFI build running on your system, but it DOES allow you to roll your own.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
UFIA or EEFI? by goombah99 · 2017-03-23 04:20 · Score: 2

I've always transposed UEFI to UFIA in my mind. now I know why

--
Some drink at the fountain of knowledge. Others just gargle.
So, it's not only the Russians that hack, huh! by bogaboga · 2017-03-23 04:22 · Score: 2

Prior to this, I'd have thought America and especially its government agencies do not hack.
I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!
Question: Will the media put both the left and right to task?
1. Re:So, it's not only the Russians that hack, huh! by Jeremi · 2017-03-23 04:26 · Score: 2
  
  Prior to this, I'd have thought America and especially its government agencies do not hack.
  Why would you have thought that? Spying has been going on since pretty much the dawn of time. It's what spy agencies do, and hacking computers is one way that they do it. Being surprised that the CIA does hacking is like being surprised that the Army shoots people.
  
  I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!
  What makes you think this spying was taking place in our backyard? The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens. (it doesn't mean they weren't, either -- but as a matter of law, they are not legally allowed to spy inside the US)
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
Re:I thought that was only in servers by goombah99 · 2017-03-23 04:37 · Score: 4, Informative

nope, it's in every core processor chipset.

--
Some drink at the fountain of knowledge. Others just gargle.
Re:Apple Innovations! by Carewolf · 2017-03-23 04:46 · Score: 2

So UEFI is now a Mac only thing, huh?
It was 10 years ago ;)
Though as far as I know Apple uses EFI
Physical access by MikeMo · 2017-03-23 05:47 · Score: 2

Note that both of these hacks require physical access.
1. Re:Physical access by AHuxley · 2017-03-23 09:54 · Score: 2
  
  That makes it better? The CIA has to distract a person to get to the phone? Or become their friend? Or watch their online shopping and alter it during shipping?.
  The physical access just avoids unexpected network sweeps, logs or code litter.
  No network access to the device to alter the device, no network access to remove captured data.
  Its more about tradecraft than any US domestic legal protection.
  Be aware of unexpected new friends, offers of friendship that seem too perfect. Its a distraction to get the device.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:Physical access by cmseagle · 2017-03-23 23:29 · Score: 2
  
  That makes it better?
  Uh, yeah, it definitely does. It drastically reduces the number of people/organizations who can exploit the vulnerability. Needing physical access is a huge obstacle for your average cyber criminal.
Obligatory: Intel CPU Backdoor Report by Anonymous Coward · 2017-03-23 06:13 · Score: 5, Interesting

Obligatory: Intel CPU Backdoor Report
Intel CPU Backdoor Report (Updated Mar 13, 2017)
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."
"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."
"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."
"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software
1. Introduction, what is Intel ME

Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM
The Management Engine (ME) is an isolated and protected cop
Re:To clarify the parent's assertion: by goombah99 · 2017-03-23 15:43 · Score: 2

Newer versions are turning out to not allow bios disablement. The sad history of this, from what I can peice together is that initially you could disable it in bios. Then newver versions had "hidden" bios diablement. that is to say, no GUI bios diablement but still an editable firmware disablement. Then newer still ones, no possibility to disablement. For these some people have discovered that overwriting certain blocks (basically all blocks after the first block) of this allows disablement without the 30 second shutdown. One can see where this is headed in the next generation very easily.

--
Some drink at the fountain of knowledge. Others just gargle.