WikiLeaks has revealed the CIA’s alleged ability to infiltrate and control iPhones through a tool called NightSkies, which is physically installed onto factory fresh iPhones and allows the CIA to monitor and download files from targets’ phones undetected.
The revelation is part of WikiLeaks’ latest Vault 7 release named ‘Dark Matter.’
NightSkies works in the background and grants “full remote command and control,” to the CIA, allowing it to upload and download files from iPhones, including details from the owner’s phonebook, text messages and call logs, and to execute actions on the phones as it wishes.
In the press release regarding the latest ‘Vault 7’ leak, WikiLeaks claims that NightSkies “is expressly designed to be physically installed onto factory fresh iPhones.”
A 2008 document featured in the release explains that NightSkies v1.2 must be physically installed and will only start beaconing information once the user starts to use the phone.
Nightskies is made up of three components: an implant, a Listening Post (LP) and a post-processing program.
The implant runs undetected on the phone once it has been physically installed.
The CIA monitors the phone for activity, including its browser history file, YouTube video cache or mail metadata. Once it is used for the first time, NightSkies kicks in and sends information to a preconfigured LP.
LPs are used to monitor devices, such as computers and phones, which have been hacked with the CIA’s malware implants. They can be physical or virtual and stored on a CIA computer server.
The NightSkies LP works as a “drop box” for information. It is unable to decrypt the packages it receives, in order to maximize security should the LP be compromised.
The post-processing component handles the information received by the LP from the implant in the phone. It “is intended to occur in a secure environment,” and decrypts and processes the ”payload” received from the target’s phone.
Certain ‘limitations’ are mentioned in the document, with the CIA warning that, “If the target does not use any applications that we monitor (MobileSafari, MobileMail, MobileMaps, etc..), then it is possible the beacon may not get triggered by the target.”
A “failsafe trigger” exists to bypass this problem, but it would be far more conspicuous to any targets and would be a last resort in cases of inactivity on the aforementioned apps.
The revelation that the CIA is physically infiltrating factory fresh phones suggests it has accessed the organization’s supply chain, meaning they may be accessing phones as they are shipped to targets, with CIA agents or assets physically tampering with suspects’ phones before they even receive them.
The fact that NightSkies was on version 1.2 by 2008 suggests it had been employed before then. The document references a 1.1 version, and explains that NightSkies has the capability to self-upgrade once installed.