The recent release of a list of CIA hacking secrets by whistle-blower site Wikileaks has left security teams scrambling to analyze their code to see just what is vulnerable and what isn’t. This is something that may take some time given the massive scope of the data which even includes Smart TV’s being turned into surveillance devices as well as tools aimed at compromising the ubiquitous iOS and Android operating systems.
The Wikileaks documents allege that the CIA’s Embedded Development Branch (EDB) developed two OS X specific tools called DerStarke and another called DarkMatter to deploy malware based on UEFI exploits.
Many modern PC’s and laptops use UEFI firmware (Unified Extensible Firmware Interface) which is the replacement for the old BIOS. UEFI rootkits can be especially dangerous as they can survive and reinfect the OS kernel even after a disk wipe and OS re installation. UEFI updates typically require user interaction compared to a software AntiVirus update which is mostly automatic. Unfortunately the average consumer has poor knowledge of UEFI/BIOS and does not know how to update it, meaning UEFI vulnerabilities can remain in a system potentially for the life of the system.
Though it is unlikely to affect end users in any significant way (probably), cyber warfare aside, it is troubling that these vulnerabilities exist and can be possibly be used used by hackers on a massive scale to steal valuable personal data undetected.
The good news is, the Advanced Threat Research team at Intel Security are working quickly to analyze and thwart potential EFI breaches by taking the original source image provided by the manufacturer and comparing it to the current users firmware to check for an infection. If the two don’t match then the infected files can then be compared against a list of expected EFI executables. Though Intel does state this will come “at a later time”
Apple claims to have patched most of the exploits detailed in the released documents. The moral of the story is that end users should always keep their systems up to date and patched.
Somewhat worryingly, Wikileaks claims the release of the so called ‘Vault 7’ CIA hacking information is just the tip of the iceberg.