The CIA has had tools to infect Macs by connecting malicious Thunderbolt ethernet adapters to them since 2012, according to new documents purported to be from the agency and published by WikiLeaks.

One of the documents, dated Nov. 29, 2012, is a manual from the CIA’s Information Operations Center on the use of a technology codenamed Sonic Screwdriver. It is described as “a mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting.”

Sonic Screwdriver allows the CIA to modify the firmware of an Apple Thunderbolt-to-ethernet adapter so that it forces a MacBook to boot from an USB stick or DVD disc even when its boot options are password protected.

For example, Sonic Screwdriver can be used to boot into a Linux live CD so that the MacBook’s partitions and data can be accessed from outside macOS, the manual says.

More importantly, an adapter modified by Sonic Screwdriver can be used to execute Der Starke, a fileless macOS malware program that has a persistence component installed in the computer’s EFI (Extensible Firmware Interface).

The EFI or UEFI is the low-level firmware that initiates and configures the computer’s hardware components before starting the actual operating system. It is the modern equivalent of the BIOS.

An EFI implant, or rootkit, can inject malicious code inside the operating system’s kernel during the boot process and will survive even if the OS is fully reinstalled or the hard disk drive is changed.

Der Starke is described in another CIA document that was leaked Thursday as “a diskless, EFI-persistent version of Triton,” which is “an automated implant for Mac OS X”—spying malware that can steal data and send it to a remote server.



Source link