The CIA implants a tracking beacon named NightSkies into the iPhone during factory production that does not exhibit alerting behavior, according to WikiLeaks’ Julian Assange.
In a live WikiLeaks press conference Wednesday, Founder Julian Assange announced that the CIA had been installing a tracking beacon code-named “NightSkies” to the iPhone 3G v2.1 beginning in 2008.
According to the WikiLeaks’ Vault 7 “Dark Matter” archive on NightSkies, “NightSkies (NS) version 1.2 is a beacon/loader/implant tool for the Apple iPhone 3G v2.1. The tool operates in the background providing upload, download and execution capability on the device. ”
Assange announced, “NightSkies reached version 1.2 by 2008, so that means it’s been in the process of development for quite sometime, but it is expressly designed to be physically installed in factory-fresh iPhones.”
“The Central Intelligence Agency has produced methods of infecting Apple Macintoshes and iPhones, and has a very considerable effort to do that,” he said, adding that NightSkies’ tracking beacon through the Apple iPhone works very much like a bug in spy movies but a grander scale.
According to the CIA NightSkies user manual in the WikiLeaks Dark Matter archive, NightSkies’ tracking beacon is capable of “monitoring specific directories on the phone such as the browser history file, Youtube video cache, map files cache, or mail files meta data.”
This user’s guide provides instructions to configure and install NS on a factory fresh device. It also includes instructions on how to create and maintain the Listening Post and Response Processing components on the backend.
NightSkies is composed of three components that include backups in case the initial implant was compromised.
1) The Implant
The implant will run on the Apple iPhone. Its functionality includes beaconing, file upload/download, and command execution. It runs in the background and does not exhibit alerting behavior. NightSkies will attempt to use any available Internet connection to beacon. NightSkies will wait for user activity before attempting to beacon.
2) The Listening Post
The Listening Post provides tasking to and will accept packages from the implant. The LP is not allowed to decrypt or process the received packages. It serves only as a drop box for packages. This was designed to maximize security in the case that the LP was compromised.
3) Post Processing
Post processing is intended to occur in a secure environment by the ResponseProcessor program. This program will decrypt, decompress, and process the payload returned from the implant. It extracts files contained in the payload and displays results of any commands executed on the target phone.