WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago (vice.com) 113
WikiLeaks said on Thursday morning it will release new documents it claims are from the Central Intelligence Agency which show the CIA had the capability to bug iPhones and Macs even if their operating systems have been deleted and replaced. From a report on Motherboard: "These documents explain the techniques used by CIA to gain 'persistenc'' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release. EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed. The documents are mostly from last decade, except a couple that are dated 2012 and 2013. While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years. Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."
The more complex the easiest to hack (Score:2, Funny)
Nothing like good old BIOS and hardware jumpers
Re: (Score:2, Insightful)
Exactly the opposite. It used to be easy to hack your own computer. Now you need the resources of the CIA.
Re: (Score:1)
If a computer tech has told you that it makes his job more difficult then said computer tech is an incompetent moron.
As far as your claim you don't seem to understand how the optional Secure Boot facility would stop this attack cold in it's tracks. With UEFI you CAN fight such an attack. With BIOS you have no such capabili
Re: (Score:2)
Pretty much fuck you.
UEFI has greatly complicated everything it touches that I run into professionally, because it has turned stuff that had a reasonably standard way of happening into a shitshow of different custom crap, stupid shims, etc. Legacy OSes get confused, so it seems mostly tuned towards the applications that use the latest and greatest stuff. Sometimes you have to try out numerous combinations where the firmware treats some components as legacy BIOS and others as UEFI. The machines take longe
Apple Innovations! (Score:1)
UFIA or EEFI? (Score:3)
I've always transposed UEFI to UFIA in my mind. now I know why
Re: (Score:3)
So UEFI is now a Mac only thing, huh?
It was 10 years ago ;)
Though as far as I know Apple uses EFI
The management unit in all intel processors (Score:5, Interesting)
It seems to me that having a chip, the management unit, in all intel processors that sits above even a hypervisor and can read all memory, have it's own connection to the network, runs java code, and is software reprogrammable, is basically the wet dream of root kits. it's invisible to anything you run on the CPU but sees all and tells all.
Re:The management unit in all intel processors (Score:5, Interesting)
for a little background on the management engine:
http://hackaday.com/2016/11/28... [hackaday.com]
Obligatory: Intel CPU Backdoor Report (Score:5, Interesting)
Obligatory: Intel CPU Backdoor Report
Intel CPU Backdoor Report (Updated Mar 13, 2017)
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
[Quotes] Vortrag [events.ccc.de]:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."
"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."
"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."
"We can permanently monitor the keyboard buffer on both operating system targets."
Backdoor removal:
The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Useful links:
The Intel ME subsystem can take over your machine, can't be audited [ycombinator.com]
REcon 2014 - Intel Management Engine Secrets [youtube.com]
Untrusting the CPU (33c3) [youtube.com]
Towards (reasonably) trustworthy x86 laptops [youtube.com]
30C3 To Protect And Infect - The militarization of the Internet [youtube.com]
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software [youtube.com]
1. Introduction, what is Intel ME
Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor? [intel.com]
Amy_Intel Feb 8, 2016 9:27 AM
The Management Engine (ME) is an isolated and protected cop
Re: (Score:1)
That's nice, except for the part where it's independent of the CPU (in other words, it works even with a dead CPU) and the fact that it's off by default and the end user has to go out of their way to enable it. Though that doesn't make for a good enough conspiracy theory so nobody mentions it, and instead only pay attention to RMSs (incorrect) belief that it's enabled by default.
Dead wrong again (Score:1)
Are you people really stupid or just paid shill? Or you have some kind of weak mind that you just can't accept how bad things are?
You really need to look at reality more before talking out of your ass, they've got you by the balls.
I just updated the report:
7. Active Intel ME Example:
Thinkpad X201 has KVM and Anti-Theft (internal 3G) enabled by default [github.com]
intelmetool -s
ME: Firmware Version 0.996.511.0
ME Capability- Full Network manageability - ON
ME Capability- Regular Network manageability - OFF
ME Capability- Manageability - ON
ME Capability- Small business technology - OFF
ME Capability- Level III manageability - OFF
ME Capability- Intel Anti-Theft (AT) - ON
ME Capability- Intel Capability Licensing Service (CLS) - ON
ME Capability- Intel Power Sharing Technology (MPC) - ON
ME Capability- ICC Over Clocking - ON
ME Capability- Protected Audio Video Path (PAVP) - ON
ME Capability- IPV6 - ON
ME Capability- KVM Remote Control (KVM) - ON
ME Capability- Outbreak Containment Heuristic (OCH) - OFF
ME Capability- Virtual LAN (VLAN) - OFF
ME Capability- TLS - ON
ME Capability- Wireless LAN (WLAN) - OFF
Re: Dead wrong again (Score:1)
Actually a weak mind can't tell the difference between reality and what is imagined. This is why tarot cards are a thing, and it's how Alex Jones makes money.
I thought that was only in servers (Score:2)
For remote management of OS startup/shutdown and system monitoring and its effectively a small seperate computer. I don't think consumer machines have this installed. Unless I'm getting confused about what you're referring to.
Re:I thought that was only in servers (Score:5, Informative)
nope, it's in every core processor chipset.
Re: (Score:1)
Re: (Score:2)
you can't disable it. if it doesn't run it shuts the chip down in 30 minutes.
Re: (Score:3)
Newer versions are turning out to not allow bios disablement. The sad history of this, from what I can peice together is that initially you could disable it in bios. Then newver versions had "hidden" bios diablement. that is to say, no GUI bios diablement but still an editable firmware disablement. Then newer still ones, no possibility to disablement. For these some people have discovered that overwriting certain blocks (basically all blocks after the first block) of this allows disablement without th
Re: (Score:2)
So... just route around Intel by buying AMD and you're good, right?
Re: (Score:1)
Re: (Score:2)
AC thats why the later data collection is often done in person.
The code can outlast any rebuild, reinstall. Its more about been nice place to hide rather than needing a network out connection that will show in any log.
Re: (Score:2)
what you said seems to be fully contradicted in everything I have read on this. People have been trying to years to turn this off. there were a couple of hacks discovered but now those dont work either.
Re: (Score:3)
Re: (Score:2)
Eh, no. UEFI implementations have been "hacked"* several times but AFAIK there is no instance of the security processor being tampered with.
(* back in the days we used to assume that access to hardware == access to the computer, it's just that hardware/software makes that much harder to do than before)
Re: (Score:2)
Re: (Score:2)
What are you talking about? It runs on its own separate processor. It's not even x86, it's ARC. The purpose is to allow you to troubleshoot a PC that merely powers on but is otherwise dead, up to and including a dead CPU.
Re: (Score:2)
Is there an API that allows you to talk to the ARC (or to reflash it)? How do people program it (surely not jtag; or rather, there must be some way in addition to jtag)?
Re: (Score:2, Informative)
Let's not forget the fact that Intel (Israel) and NSA (US) have collaborated to bury far far more insidious things inside the many BILLIONS of transistors of the CPU itself... we're talking full backdoor encrypted magic packet access, interaction with Windows NSA_KEY, heuristic triggers, the works. BILLIONS of transistors folks, BILLIONS, all inside a TOP SECRET CLOSED SOURCE die and company... think about that for just a minute folks.
Opensource software is MEANINGLESS when you can't trust the platform.
DEMA
Re: (Score:2)
It would be an awful risk for Intel to knowingly or unknowingly take. Like a forced security certificate, the secret would only have to leak once and the evidence would be in non-volatile memory for inspection.
More likely would be a compromise in Intel's hardware random number generator which leaves no evidence to be found but hey, why not both?
And now maybe we'll know why ... (Score:5, Interesting)
And now maybee we'll know why it's been so hard for Open Source developers to get information on writing their own against-the-metal drivers for telephony radios and startup modules (BIOS, EFI/UEFI, etc.)
It has long been suspected that was not just proprietary info-walling, but to reduce chances of discovery of backdoors and persistent threats imposed in the name of spying.
Re: (Score:2, Insightful)
It have also been long suspected that UN strives for world domination and have plans to take control of the US via military force, that aliens insert tracking chips into people and that the MIB goes around harassing people that "knows" this with silent black helicopters.
IT'S. NOT. LOGICAL.
Stop giving in to shitty conspiracy theories - there's no need for them. If there were secret backdoors inserted in hardware and software then we would know it, stopping such information from leaking via the engineers buil
Re: (Score:2)
We would know eventually, see TFS. The other reasons probably exist as well.
Re: (Score:2)
Re: (Score:2)
And now maybee we'll know why it's been so hard for Open Source developers to get information on writing their own against-the-metal drivers for telephony radios and startup modules (BIOS, EFI/UEFI, etc.)
It has long been suspected that was not just proprietary info-walling, but to reduce chances of discovery of backdoors and persistent threats imposed in the name of spying.
Maybe but the backdoor only has to be discovered or leaked once. I doubt this would matter for telecommunication providers who have immunity anyway and are known to be jerks but it would be a big deal for Intel or AMD.
So, it's not only the Russians that hack, huh! (Score:3)
Prior to this, I'd have thought America and especially its government agencies do not hack.
I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!
Question: Will the media put both the left and right to task?
Re: (Score:3)
Prior to this, I'd have thought America and especially its government agencies do not hack.
Why would you have thought that? Spying has been going on since pretty much the dawn of time. It's what spy agencies do, and hacking computers is one way that they do it. Being surprised that the CIA does hacking is like being surprised that the Army shoots people.
I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!
What makes you think this spying was taking place in our backyard? The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens. (it doesn't mean they weren't, either -- but as a
Re: (Score:1)
The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens.
Do I smell naivety here?
Re: (Score:1)
No you apparently just have bad reading comprehension or are trying to take stuff out of context just to be a cock sucking prick. Either way you're part of the problem.
Re: (Score:1)
Yeah, well, when it comes to the CIA/DEA/FBI/etc it is pretty naive to believe they are bound by any 'laws'
Re: (Score:2)
>CIA
>matter of law
Choose one.
Re: (Score:2)
Ahem,I don't know about what they're installing on US home computers but where communication is concerned I know at least three ways around the legal limitations without the need to ask for a warrant and
Re: (Score:2)
"Files on Illegal Spying Show C.I.A. Skeletons From Cold War" (June 27, 2007)
"...new details about how the Central Intelligence Agency illegally spied on Americans decades ago, including trying to bug a Las Vegas hotel room for evidence of infidelity and tracking down an expert lock-picker for a Watergate conspirator."
http://www.nytimes.com/2007/06... [nytimes.com]
Operation CHAOS https:// [wikipedia.org]
Re: (Score:2)
What makes you think this spying was taking place in our backyard? The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens. (it doesn't mean they weren't, either -- but as a matter of law, they are not legally allowed to spy inside the US)
They were not suppose to be torturing people either but that did not stop them. So I guess it was legal. And I assume it is continuing. It was certainly been sanctioned with approval.
Re: (Score:2)
(no tails support [boum.org] though, argh)
Re: (Score:2)
What made the Snowden leaks such a big deal was not that the U.S. was spying, but that there was bulk spying going on, grabbing everyone's information, including Americans. What these leaks accuse the CIA of doing is being able to spy on particular, specific targets, which is the way they're supposed to do it.
Now, some people might think that this is bad because the CIA can hack computers we use, b
Re: (Score:2)
Prior to this, I'd have thought America and especially its government agencies do not hack.
The US has a long history of hacking spying. One of the recent complaints against the NSA is they keep exploits for their own use, instead of finding them and fixing them (thus they potentially leave everyone exposed).
The Stuxnet attack was [wikipedia.org] a difficult one to pull off because they had to go over an air-gap, and attack very expensive equipment (most of us don't have access to that equipment, and can't afford it).
Snowden reported quite a bit of hacking [reuters.com]. It's also known that the NSA was monitoring Angel
Re: (Score:2)
Prior to this, I'd have thought America and especially its government agencies do not hack.
I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!
Question: Will the media put both the left and right to task?
Newflash: Spies spy.
Re: (Score:2)
To bad you can't get to the UEFI / BIOS menus on a (Score:2)
To bad you can't get to the UEFI / BIOS menus on a mac to be able to change boot keys.
Not exactly news (Score:2)
This even made it into an episode of "Person of Interest" during its last season - although in that case I believe it was a criminal syndicate adding code to the EFI before the computers were shipped. Oh wait, I guess it was exactly the same after all!
Physical access (Score:3)
Re: (Score:3)
The physical access just avoids unexpected network sweeps, logs or code litter.
No network access to the device to alter the device, no network access to remove captured data.
Its more about tradecraft than any US domestic legal protection.
Be aware of unexpected new friends, offers of friendship that seem too perfect. Its a distraction to ge
Re: (Score:3)
That makes it better?
Uh, yeah, it definitely does. It drastically reduces the number of people/organizations who can exploit the vulnerability. Needing physical access is a huge obstacle for your average cyber criminal.
Russia scared of Apple (Score:1)
Buy Apple. It's the American thing to do.
Re: (Score:2)
A step away from the junk as designed or setting a junk international standard idea of the 1950-80's. The classic backdoor, trap door design.
The crypto can be examined and passed by outside experts. The product that then arrives as a random shipment is altered junk.
The data is then collected in person later, or from a normal network.
UEFI, the Mac equivalent to Bios for PCs (Score:2)
EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs.
Not just for Mac's: All current PC's use UEFI - instead of BIOS - as well as Mac's do.