Skip to content

Sonic Screwdriver

Some quick thoughts after reviewing some of the "Dark Matter" vault7 documents on wikileaks, with the caveat that these documents are all fairly old and almost certainly don't reflect the state of the art. The Sonic Screwdriver attracted my attention since many reports compared it to Thundestrike: they both use the Apple Thunderbolt gigabit ethernet adapter and store their code in its Option ROM. Sonic Screwdriver predates Thunderstrike 1 by at least a year and based on the dates, however, I am assuming they saw snare's 2012 Black Hat presentation and then took six months to weaponize and package it for use.

Sonic Screwdriver

The functonality of Sonic Screwdriver appears to be at the same level as presented in snare's slides -- the Option ROM code is loaded before firmware passwords are checked, which allows it to bypass this password and boot from an alternate media device with a more extensive exploit, but does not have any flash level persistence. Based on the documentation, as far as I can tell it does not carry any payload of its own:

The intended CONOP for Sonic Screwdriver is to be able to install EDG/AED tools on a Mac even if a firmware password was enabled.

The key contribution of Thunderstrike over snare's work was that it allowed a proximate attacker to use the Thunderbolt adapter to overwrite the motherboard boot flash, which provided better persistence than a boot.efi implant on the harddrive. The specific vulnerability in Apple's firmware update routine used was closed as part of the software update that coincided with my 31C3 presentation. Thunderstrike 2 found additional vulnerabilities and added software-only attacks that allowed the flash to be unlocked from software and also added a viral mode in which new Thunderbolt devices would be infected. Most of the vulnerabilities that allowed the Thunderbolt device to write to the bootflash were closed as part of a coordinated disclosure prior to BH2015. Note that neither Sonic Screwdriver, snare's rootkit, nor any of the Thunderstrike vulnerabilities used DMA over PCIe.

Apple did not disable OptionROMs after snare's 2012 talk, nor after either of the Thunderstrike talks. Even though the vulnerabilities that allowed flash writes from the Option ROM were closed by Apple, it was still possible to use the code in the Option ROM to bypass or reset firmware passwords, change boot devices, etc. Apple finally added an option to disable them for good in December 2015, as noted by Xeno in this tweet (crediting snare and our work). This is what the security community had been asking for since 2012 and can now be set via the command line:

sudo firmwarepasswd -setpasswd -setmode command

DarkSeaSkies

It does appear that the DarkSeaSkies implant was firmware based, but only for certain MacBook hardware models. I'm not sure what technique it used to install itself. It targeted much older machines, which might have had firmware vulnerabilities -- the Macbook 1,1 is also supported by coreboot, which makes me think it had an easily re-writable firmware. However, I do not have any deep insight into why that one was targeted.

The User Requirements Document for it has this fascinating quote:

COG has a time-sensitive operational need for a porting of the current version of Nightskies to a MacBook Air. Currently this exists for an iPhone (See Requirement 2008-1508). COG has the opportunity to gift a MacBook Air to a target that will be implanted with this tool.

Since these documents all predate Thunderstrike and Thunderstrike 2, it is not known if the CIA has adapted any of the techniques to new implants. Given physical access to the system, as implied in this quote, would allow significantly more tampering possibly to even override Bootguard protections (through CPU replacement or other hardware modifications).

2017 Security


Last update: November 8, 2020