Dec. 01, 2008, the C.I.A. internally published NightSkies v1.2 User Guide for exploiting Apple iPhone 3G v2.1. Whistleblower Source: WikiLeaks Vault 7 DARK MATTER. This program “Grants full remove command and control” … “The tool operates in the background providing upload, download and execution capability … will wait for user activity before beaconing. When user activity is detected, NS will attempt to beacon to a preconfigured LP [Listening Post—remote C.I.A. command and control point] to retrieve tasking, execute the instructions, and reply with the response in one session.”
NightSkies works in the background and grants “full remote command and control,” to the CIA, allowing it to upload and download files from iPhones, including details from the owner’s phonebook, text messages and call logs, and to execute actions on the phones as it wishes.
- Retrieves files from iPhone including Address Book, SMS, Call Logs (when available), etc.
- Sends files and binaries [another programmer name for files] to the iPhone such as future tools
- Executes arbitrary commands on the iPhone
- Grants full remote command and control
- Masquerades as standard HTTP protocol for communications
- Uses XXTEA block encryption to provide secure communications
- Provides self-upgrade capability
WikiLeaks revealed in March 2017 the CIA’s alleged ability to infiltrate and control iPhones through a tool called NightSkies, which is physically installed onto factory fresh iPhones and allows the CIA to monitor and download files from targets’ phones undetected.
In the press release regarding the ‘Vault 7’ leak, WikiLeaks claims that NightSkies “is expressly designed to be physically installed onto factory fresh iPhones.”
A 2008 document featured in the release explains that NightSkies v1.2 must be physically installed and will only start beaconing information once the user starts to use the phone.
— Christine Maguire (@_ChrisMaguire) March 23, 2017
Nightskies is made up of three components: an implant, a Listening Post (LP) and a post-processing program. The implant runs undetected on the phone once it has been physically installed. The CIA monitors the phone for activity, including its browser history file, YouTube video cache or mail metadata. Once it is used for the first time, NightSkies kicks in and sends information to a preconfigured LP. LPs are used to monitor devices, such as computers and phones, which have been hacked with the CIA’s malware implants. They can be physical or virtual and stored on a CIA computer server.
— WikiLeaks (@wikileaks) March 8, 2017
The NightSkies LP works as a “drop box” for information. It is unable to decrypt the packages it receives, in order to maximize security should the LP be compromised. The post-processing component handles the information received by the LP from the implant in the phone. It “is intended to occur in a secure environment,” and decrypts and processes the ”payload” received from the target’s phone. Certain ‘limitations’ are mentioned in the document, with the CIA warning that, “If the target does not use any applications that we monitor (MobileSafari, MobileMail, MobileMaps, etc..), then it is possible the beacon may not get triggered by the target.” A “failsafe trigger” exists to bypass this problem, but it would be far more conspicuous to any targets and would be a last resort in cases of inactivity on the aforementioned apps.
The revelation that the CIA is physically infiltrating factory fresh phones suggests it has accessed the organization’s supply chain, meaning they may be accessing phones as they are shipped to targets, with CIA agents or assets physically tampering with suspects’ phones before they even receive them.
The fact that NightSkies was on version 1.2 by 2008 suggests it had been employed before then. The document references a 1.1 version, and explains that NightSkies has the capability to self-upgrade once installed.