#DarkSeaSkies: CIA’s tool to hack MacBook Air in under 29 seconds exposed
Amidst WikiLeaks’ revelations about the CIA’s capabilities to hack into Apple products is DarkSeaSkies – a tool used to monitor and control MacBook Air that’s physically installed by a CIA agent or asset in “less than 29 seconds.”
READ MORE: Apple’s achilles heel: CIA hacks MacBook computers with ‘Sonic Screwdriver’
DarkSeaSkies is a tool that runs in the background of a MacBook Air to allow the CIA command and control laptops. It is delivered via “supply chain intercept or a gift to the target.”
It’s loaded onto a MacBook via booting through a thumb drive. The CIA’s user document explains: “It is assumed that an operator or asset has one-time physical access to the target system and can boot the target system to an external flash drive.”
A 2009 “user requirements” document on DarkSeaSkies explains it was created to allow the CIA to access a MacBook Air.
The CIA’s COG [Computer Operations Group] had a “time-sensitive operational need” to install the Nightskies tool onto a MacBook Air, as the CIA had an “opportunity to gift a MacBook Air to a target that will be implanted with this tool.” It’s unknown who this target was.
#Vault7: #DarkMatter documents explain the techniques used by CIA to gain 'persistence' on Macs and iPhones https://t.co/iJv6S1v9u0pic.twitter.com/vX86Uf7z0h
— RT (@RT_com) March 23, 2017
DarkSeaSkies Components
DarkSeaSkies is actually made up of three components, Dark Matter, SeaPea and NightSkies.
DarkMatter is installed in a computer’s kernal-space (core of computer’s operating system, usually in protected area of memory). It then installs the other two components of the tool, SeaPea and NightSkies.
SeaPea is installed in the kernal and executes and hides NightSkies, which is implanted in the user the space (computer’s memory area that deals with apps and software).
“All files, network connections, and processes associated with the NightSkies beacon are hidden by the SeaPea root-kit,” the document reads.
NightSkies is the beaconing tool used to monitor and send information from the phone to a Listening Post (LP), which collects the incoming data.
CIA monitors phone activity, incl browser history, YouTube video cache & mail metadata - WikiLeaks https://t.co/fnmmPjdsZxpic.twitter.com/dosyNrgNRr
— RT (@RT_com) March 23, 2017
Physical access is required to install DarkSeaSkies and the target must have “at minimum occasional internet access” to communicate with a CIA LP. If it’s unable to communicate with a LP, it will eventually delete itself from the system.
The good news is, at least back in 2009, DarkSeaSkies would not persist in the event of a firmware update, according to the CIA’s documents.
A document dealing with test procedures for DarkSeaSkies references a “MacBook Air out of the box” and explains how to install DarkSeaSkies, “run through the wizard to setup the MacBook for the first time. While you’re going through the setup you need to ensure that you set the clock to the current date and time. Disable the wireless card and the Bluetooth card.”
Under “observations,” it’s noted that the tool can be installed in “less than 29 seconds.”
“It takes roughly 23 seconds to get to where you can choose the thumb drive as the boot device and 6 seconds for the tool to install and power off the machine,” the document reads.
