Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Desktops (Apple) IOS Iphone Operating Systems Privacy Apple

WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago (vice.com) 113

WikiLeaks said on Thursday morning it will release new documents it claims are from the Central Intelligence Agency which show the CIA had the capability to bug iPhones and Macs even if their operating systems have been deleted and replaced. From a report on Motherboard: "These documents explain the techniques used by CIA to gain 'persistenc'' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release. EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed. The documents are mostly from last decade, except a couple that are dated 2012 and 2013. While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years. Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."
This discussion has been archived. No new comments can be posted.

WikiLeaks' New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago

Comments Filter:
  • by Anonymous Coward

    Nothing like good old BIOS and hardware jumpers

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Exactly the opposite. It used to be easy to hack your own computer. Now you need the resources of the CIA.

  • So UEFI is now a Mac only thing, huh?
  • by goombah99 ( 560566 ) on Thursday March 23, 2017 @11:17AM (#54096017)

    It seems to me that having a chip, the management unit, in all intel processors that sits above even a hypervisor and can read all memory, have it's own connection to the network, runs java code, and is software reprogrammable, is basically the wet dream of root kits. it's invisible to anything you run on the CPU but sees all and tells all.

    • by goombah99 ( 560566 ) on Thursday March 23, 2017 @11:33AM (#54096135)

      for a little background on the management engine:
      http://hackaday.com/2016/11/28... [hackaday.com]

      • by Anonymous Coward on Thursday March 23, 2017 @01:13PM (#54097007)

        Obligatory: Intel CPU Backdoor Report

        Intel CPU Backdoor Report (Updated Mar 13, 2017)

        The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

        What we know about Intel CPU backdoors so far:

        TL;DR version

        Your Intel CPU and Chipset is running a backdoor as we speak.

        The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

        30C3 Intel ME live hack:
        @21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
        [Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [youtube.com]
        [Quotes] Vortrag [events.ccc.de]:
        "DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel."

        "the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."

        "We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."

        "To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."

        "We can permanently monitor the keyboard buffer on both operating system targets."

        Backdoor removal:
        The backdoor firmware can be removed by following this guide [github.io] using the me_cleaner [github.com] script.
        Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

        Decoding Intel backdoors:
        The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

        If you are skilled in these areas, download Intel ME firmwares from this collection [win-raid.com] and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

        1. Introduction, what is Intel ME

        Short version, from Intel staff:

        Re: What Intel CPUs lack Intel ME secondary processor? [intel.com]
        Amy_Intel Feb 8, 2016 9:27 AM

        The Management Engine (ME) is an isolated and protected cop

        • That's nice, except for the part where it's independent of the CPU (in other words, it works even with a dead CPU) and the fact that it's off by default and the end user has to go out of their way to enable it. Though that doesn't make for a good enough conspiracy theory so nobody mentions it, and instead only pay attention to RMSs (incorrect) belief that it's enabled by default.

          • by Anonymous Coward

            Are you people really stupid or just paid shill? Or you have some kind of weak mind that you just can't accept how bad things are?

            You really need to look at reality more before talking out of your ass, they've got you by the balls.

            I just updated the report:

            7. Active Intel ME Example:
            Thinkpad X201 has KVM and Anti-Theft (internal 3G) enabled by default [github.com]

            intelmetool -s

            ME: Firmware Version 0.996.511.0

            ME Capability- Full Network manageability - ON
            ME Capability- Regular Network manageability - OFF
            ME Capability- Manageability - ON
            ME Capability- Small business technology - OFF
            ME Capability- Level III manageability - OFF
            ME Capability- Intel Anti-Theft (AT) - ON
            ME Capability- Intel Capability Licensing Service (CLS) - ON
            ME Capability- Intel Power Sharing Technology (MPC) - ON
            ME Capability- ICC Over Clocking - ON
            ME Capability- Protected Audio Video Path (PAVP) - ON
            ME Capability- IPV6 - ON
            ME Capability- KVM Remote Control (KVM) - ON
            ME Capability- Outbreak Containment Heuristic (OCH) - OFF
            ME Capability- Virtual LAN (VLAN) - OFF
            ME Capability- TLS - ON
            ME Capability- Wireless LAN (WLAN) - OFF

    • For remote management of OS startup/shutdown and system monitoring and its effectively a small seperate computer. I don't think consumer machines have this installed. Unless I'm getting confused about what you're referring to.

      • by goombah99 ( 560566 ) on Thursday March 23, 2017 @11:37AM (#54096175)

        nope, it's in every core processor chipset.

        • by Trogre ( 513942 )

          So... just route around Intel by buying AMD and you're good, right?

      • The IME (Intel) and PSP (AMD) are on all modern systems, however they can be disabled in the UEFI configuration. Servers tend to have Out of Band network interfaces (NICs) to access them such that the controlling entity can be on a LAN that is separate from the internet connected one, but all modern systems have such capabilities (management engines.) You can go into your UEFI (falsely a.k.a. BIOS) setup and see the options to enable and disable it and it's features,.
        • what you said seems to be fully contradicted in everything I have read on this. People have been trying to years to turn this off. there were a couple of hacks discovered but now those dont work either.

    • And it's been hacked [pcworld.com], multiple times, actually.
      • by Megol ( 3135005 )

        Eh, no. UEFI implementations have been "hacked"* several times but AFAIK there is no instance of the security processor being tampered with.

        (* back in the days we used to assume that access to hardware == access to the computer, it's just that hardware/software makes that much harder to do than before)

        • It doesn't really matter as long as you have control of the innermost ring of the CPU.
          • What are you talking about? It runs on its own separate processor. It's not even x86, it's ARC. The purpose is to allow you to troubleshoot a PC that merely powers on but is otherwise dead, up to and including a dead CPU.

            • The story talks about UEFI/EFI attacks, which allows access below the OS. I see your point though.
              Is there an API that allows you to talk to the ARC (or to reflash it)? How do people program it (surely not jtag; or rather, there must be some way in addition to jtag)?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Let's not forget the fact that Intel (Israel) and NSA (US) have collaborated to bury far far more insidious things inside the many BILLIONS of transistors of the CPU itself... we're talking full backdoor encrypted magic packet access, interaction with Windows NSA_KEY, heuristic triggers, the works. BILLIONS of transistors folks, BILLIONS, all inside a TOP SECRET CLOSED SOURCE die and company... think about that for just a minute folks.

      Opensource software is MEANINGLESS when you can't trust the platform.
      DEMA

      • by Agripa ( 139780 )

        It would be an awful risk for Intel to knowingly or unknowingly take. Like a forced security certificate, the secret would only have to leak once and the evidence would be in non-volatile memory for inspection.

        More likely would be a compromise in Intel's hardware random number generator which leaves no evidence to be found but hey, why not both?

  • by Ungrounded Lightning ( 62228 ) on Thursday March 23, 2017 @11:19AM (#54096029) Journal

    And now maybee we'll know why it's been so hard for Open Source developers to get information on writing their own against-the-metal drivers for telephony radios and startup modules (BIOS, EFI/UEFI, etc.)

    It has long been suspected that was not just proprietary info-walling, but to reduce chances of discovery of backdoors and persistent threats imposed in the name of spying.

    • Re: (Score:2, Insightful)

      by Megol ( 3135005 )

      It have also been long suspected that UN strives for world domination and have plans to take control of the US via military force, that aliens insert tracking chips into people and that the MIB goes around harassing people that "knows" this with silent black helicopters.

      IT'S. NOT. LOGICAL.

      Stop giving in to shitty conspiracy theories - there's no need for them. If there were secret backdoors inserted in hardware and software then we would know it, stopping such information from leaking via the engineers buil

    • You evidently didn't know the entire source for UEFI [github.com] is available. I have git cloned it and built and used it successfully. Of course, that doesn't tell you about the UEFI build running on your system, but it DOES allow you to roll your own.
    • by Agripa ( 139780 )

      And now maybee we'll know why it's been so hard for Open Source developers to get information on writing their own against-the-metal drivers for telephony radios and startup modules (BIOS, EFI/UEFI, etc.)

      It has long been suspected that was not just proprietary info-walling, but to reduce chances of discovery of backdoors and persistent threats imposed in the name of spying.

      Maybe but the backdoor only has to be discovered or leaked once. I doubt this would matter for telecommunication providers who have immunity anyway and are known to be jerks but it would be a big deal for Intel or AMD.

  • by bogaboga ( 793279 ) on Thursday March 23, 2017 @11:22AM (#54096047)

    Prior to this, I'd have thought America and especially its government agencies do not hack.

    I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!

    Question: Will the media put both the left and right to task?

    • by Jeremi ( 14640 )

      Prior to this, I'd have thought America and especially its government agencies do not hack.

      Why would you have thought that? Spying has been going on since pretty much the dawn of time. It's what spy agencies do, and hacking computers is one way that they do it. Being surprised that the CIA does hacking is like being surprised that the Army shoots people.

      I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!

      What makes you think this spying was taking place in our backyard? The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens. (it doesn't mean they weren't, either -- but as a

      • The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens.

        Do I smell naivety here?

        • No you apparently just have bad reading comprehension or are trying to take stuff out of context just to be a cock sucking prick. Either way you're part of the problem.

      • >CIA
        >matter of law

        Choose one.

      • What makes you think this spying was taking place in our backyard? The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens. (it doesn't mean they weren't, either -- but as a matter of law, they are not legally allowed to spy inside the US)

        Ahem,I don't know about what they're installing on US home computers but where communication is concerned I know at least three ways around the legal limitations without the need to ask for a warrant and

      • by AHuxley ( 892839 )
        Re "The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens."
        "Files on Illegal Spying Show C.I.A. Skeletons From Cold War" (June 27, 2007)
        "...new details about how the Central Intelligence Agency illegally spied on Americans decades ago, including trying to bug a Las Vegas hotel room for evidence of infidelity and tracking down an expert lock-picker for a Watergate conspirator."
        http://www.nytimes.com/2007/06... [nytimes.com]
        Operation CHAOS https:// [wikipedia.org]
      • by Agripa ( 139780 )

        What makes you think this spying was taking place in our backyard? The fact that the CIA was installing spyware doesn't mean that the CIA was installing spyware on the property of US citizens. (it doesn't mean they weren't, either -- but as a matter of law, they are not legally allowed to spy inside the US)

        They were not suppose to be torturing people either but that did not stop them. So I guess it was legal. And I assume it is continuing. It was certainly been sanctioned with approval.

    • No one should be surprised that US Intelligence agencies hack. That's the very core of their job - spying!

      What made the Snowden leaks such a big deal was not that the U.S. was spying, but that there was bulk spying going on, grabbing everyone's information, including Americans. What these leaks accuse the CIA of doing is being able to spy on particular, specific targets, which is the way they're supposed to do it.

      Now, some people might think that this is bad because the CIA can hack computers we use, b
    • Prior to this, I'd have thought America and especially its government agencies do not hack.

      The US has a long history of hacking spying. One of the recent complaints against the NSA is they keep exploits for their own use, instead of finding them and fixing them (thus they potentially leave everyone exposed).

      The Stuxnet attack was [wikipedia.org] a difficult one to pull off because they had to go over an air-gap, and attack very expensive equipment (most of us don't have access to that equipment, and can't afford it).

      Snowden reported quite a bit of hacking [reuters.com]. It's also known that the NSA was monitoring Angel

    • Prior to this, I'd have thought America and especially its government agencies do not hack.

      I guess I was wrong. What troubles me is that the media only talked about the Russians, yet the act was taking place in our backyard!

      Question: Will the media put both the left and right to task?

      Newflash: Spies spy.

    • Comment removed based on user account deletion
  • To bad you can't get to the UEFI / BIOS menus on a mac to be able to change boot keys.

  • This even made it into an episode of "Person of Interest" during its last season - although in that case I believe it was a criminal syndicate adding code to the EFI before the computers were shipped. Oh wait, I guess it was exactly the same after all!

  • by MikeMo ( 521697 ) on Thursday March 23, 2017 @12:47PM (#54096785)
    Note that both of these hacks require physical access.
    • by AHuxley ( 892839 )
      That makes it better? The CIA has to distract a person to get to the phone? Or become their friend? Or watch their online shopping and alter it during shipping?.
      The physical access just avoids unexpected network sweeps, logs or code litter.
      No network access to the device to alter the device, no network access to remove captured data.
      Its more about tradecraft than any US domestic legal protection.
      Be aware of unexpected new friends, offers of friendship that seem too perfect. Its a distraction to ge
      • That makes it better?

        Uh, yeah, it definitely does. It drastically reduces the number of people/organizations who can exploit the vulnerability. Needing physical access is a huge obstacle for your average cyber criminal.

  • Buy Apple. It's the American thing to do.

  • EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs.

    Not just for Mac's: All current PC's use UEFI - instead of BIOS - as well as Mac's do.

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...