A new WikiLeaks Vault 7 leak titled “Dark Matter” claims, with unreleased documents, that the Central Intelligence Agency has been bugging “factory fresh” iPhones since at least 2008. IT security experts from FireMon, prpl Foundation and Comparitech.com commented below.

Paul Calatayud, CTO at FireMon:

paul-calatayud“The validity of the dumps from my 18 years of experience in cyber including 8 years within the army cyber teams would lead me to state these claims have basis and are worth taking real consideration over.

“The tools are very noteworthy yet to be expected if you understand the space. We have seen issues with suppliers and manufacturers in the computer world installing or not being aware of root kits and low level firmware key loggers being installed, examples being Lenovo. Even this week I read reporters that Microsoft Windows 10 if enabled within settings send full key log data back for analysis.

“The question moves away from technology capability towards intent and success. This is where I would disagree with others. I suspect this program was able to weaponise malware at low levels of Apple phones. I disagree that the program had large scale reach or that they were able to distribute it with Apple support or with any success. In other words, just because the malware was designed, does not mean it is present in all phones. Looking at the fight between the FBI and Apple over backdoor and encryption further leads me to believe these capabilities and the malware is not readily deployed in the wild. I suspect there was far greater success of surveillance programs within the wireless networks vs. what’s on the device. Just think, what data that lives on your phone is not somehow being transmitted over wireless protocols and internet services; text messages, phone calls, email messages, etc.”

Cesare Garlati, Chief Security Strategist at prpl Foundation:

Cesare Garlati“I am not surprised to see evidence that Apple devices are, in fact, as vulnerable as any other device on the market; or that a nation state has invested time and money to exploit one more leading technology platform (iOS). For years Apple has tried to position itself as the leader in security through obscurity, even going so far as to seal the batteries within the device and not allow for external security software to run on its devices.  I would take issue with any manufacturer that does this as it would be impossible to tell if the microphone/camera/gps are actually turned off. In addition, any manufacturer claiming to be the best in security, while still using proprietary software has to be questioned. Perhaps those bold statements make more sense in the context of Apple – once the de facto monopoly in smartphones – being protected and allowed to carry on these questionable practices while nation states have something to gain.  The bottom line is that every piece of software embedded in any device is vulnerable and therefore exploitable to some extent, but upon bringing to light these practices, dots seem a little more connected and the penny starts to drop.”

Lee Munson, Security Researcher at Comparitech.com:

Lee Munson“If Wikileaks’ latest claims about the CIA bugging ‘factory fresh’ iPhones is true, it is hardly revelatory and certainly nothing for the average citizen to be unduly concerned about (or so we’d like to think).

“While the tools allegedly at the spy agency’s disposal are impressive, in so much as they are claimed to be both persistent and able to disregard password-enabled signups, they would appear to rely upon one very important component – physical installation.

“Unless we are to believe that Apple is in some way complicit with this arrangement – which I doubt totally, given Tim Cook’s stance on privacy – then the CIA would only be able to infect devices that have been intercepted through the postal system.

“Should this be the case, it may possibly be cause for concern, given we don’t know who may have been targeted, but it does show that this technique is probably not specifically related to Apple because physical access is a huge security risk to any device.”

Information Security Buzz