Slashdot Mirror
CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models (bleepingcomputer.com)
An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.
Can't be any worse than the factory firmware. Sounds full featured!
Bullshit.
I comment occasionally so that I can mod others -1 overrated or -1 offtopic.
Defense attorneys must be salivating at this news, right? The fact that so many different router models are exploitable just screams "reasonable doubt." Hundreds of different models of routers are affected. If the CIA could find and exploit these vulnerabilities, so could other people. Anyone being charged with a computer crime that doesn't have a physical nexus (e.g. DPR getting fake passports in the mail) should point to this information and say see, my router was hackable, anyone in the world could have gotten into my network and launched that DDoS | committed credit card fraud | etc.
Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online. While I certainly have no problem with this information eventually being made public, Wikileaks is dumping this information without regard to the consequences. To do otherwise seems unethical, not that Wikileaks cares about ethics any longer. It seems like they've become politically motivated of late rather than their original goal of providing transparency where there otherwise wouldn't be.
Exposing security weakness to the public helps gets them fixed, which improves security.
Seems to me serious spooks of many nations have already built similar tools for themselves.
For example Tomato, DD-WRT, OpenWRT, and all the variants that are so popular on commodity hardware.
This is really an issue with the US subverting the companies that pay for it to fund such activities. In all reality, we should be handing zero days over to make things more secure, not hoarding them, thereby making them less secure. What's worse is that every zero day we have, someone else could have, and there's no way of us knowing about it. All we're doing is endangering the IP of the legitimate businesses and citizens of the US by keeping these zero days private.
"Make the world more secure, by ensuring it's less secure" should be our motto, at least then it'd be blatantly obvious we don't give a fuck about actually securing anything (not that it isn't already).
There is every reason to believe that intelligence agencies in other countries do the same things. Is there ANY reason to doubt that intelligence agencies in the UK, Germany, China, Russia, and other countries aren't doing the same things? Of course they're doing the same things! A lot of the world would be hypocrites to complain about this. Those governments and plenty of others are just as interested in spying as the US government is. You just wanted to post some flamebait, so congratulations on making a post that exposes just what an idiotic asshole you are. The collateral damage from the spying is a huge problem when these exploits are leaked to the public and used by criminals for their benefit. If you had made that point, I'd have no problem with it. However, you've actually revealed yourself as a troll incapable of having a mature discussion.
The Government spy agencies shouldn't be creating f...ing malware/trojans.. Cause this will happen every time. Information wants to be free. This also seems to be is old equipment models. They don't even have 802.11ac equipment listed? Oh wait, the CIA has updated attack tools that hasn't been stolen....yet.
If you bothered to read, they dumped the manuals, not the tools.
There's plenty of debate on what constitutes responsible disclosure of vulnerabilities, but this document appears to only explain how the tool is used, not including the tool itself, so that isn't even the conversation to be having.. Your argument seems more applicable to The Shadow Brokers.
What this leak would seem to do would be to correct the mistake the CIA made by failing to disclose vulnerabilities to vendors so they could use it themselves. Pretty much the only way to criticize Wikileaks here is to claim that the CIA are the good guys, which doesn't really jibe with the entire history of the CIA, especially for the /. crowd.
This is my signature. There are many like it, but this one is mine.
"Exposing security weakness to the public helps gets them fixed, which improves security."
Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs. Fuck Wikileaks for this one. Too bad they can't be held responsible when this gets exploited and causes real damage to innocent victims.
It isn't the ones Russia leaked (leaked in 7 (or more) dumps to Wikileaks, that Assange has been systematically unlocking for maximum press) it's the ones they decided not to leak.
These dumps are from a Russian hack of the CIA, their hackers keep the best stuff for themselves. So this "backdoor in everyones router" isn't the best stuff, they still have those.
What it does is give everyone a wakeup call to fix their security holes and not trust their network kit.
I didn't see anything about DD-WRT flashed routers in the manual.
So maybe I'm good.
Admiral Mikey The Navy Man (NSA) is under fire as it is, NOW THIS!
NSA creates code as this, not CIA; they (CIA) are chump change.
The CIA is run by the State Department.
Likely Obama Sandinista are unhappy and are trying to undercut Tillerson and wreak Trump.
Well boys, having THIS code out is a very good thing!
Thanks To Wikileaks!
So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?
This is pretty basic exploit and pretty basic check for the router manufacturers...
Been using pfSense for years now, glad to know the FreeBSD life style is still holding up better than commercial consumer bullshit!
do you suffer cerebral palsy? they didn't wrote the damn thing
parent: "do you suffer cerebral palsy?"
Why yes I do. Most people know me as Randy, but my friends call me "Spaz".
Yes, a VERY big thanks to WL actually. Without documents like these coming to light your privacy erodes MUCH quicker thanks to the likes of "Scaryisms".
TLA's and poli's want backdoors to everything but they can't even keep THEIR shit together. What security do YOU have?
Also, fuck you
A long new password won't help the device.
FlyTrap then connects to CherryTree.
Mission then sends down the tasks to the device.
CherryWeb is the GUI that looks over the new network.
Windex alters the computers browsers i.e. malware.
A copy of networked data via a new VPN.
Years of access.
Domestic spying is now "Benign Information Gathering"
Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs.
That's bullshit. The manufacturers are well aware of the flaws being exploited, and it is just as plausible they left them open on 'request'.
“He’s not deformed, he’s just drunk!”
This is certainly "unauthorized access to a computer system". So we're going to see people going to prison for this, right? Like I would, if I did something like that? ..... right?
Stanford Research Institute. Reading about what this "non-profit" does, and has done in the past for the government, is actually more interesting than the Cherry Blossom project they created. Oh, and the CNB (?) wanted SRI to use Fedora 14 for the CB platform, which, once again, reaffirms that the Red Hat product is the preferred OS of the Deep State. Freedom and privacy loving Red Hat sw devs must be so proud.
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.
[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".
"We can permanently monitor the keyboard buffer on both operating system targets."
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.
Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software
1. Introduction, what is Intel ME
Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM
The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.
Long version:
ME: Management Engine
The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or
You can have a high degree of local machine security running something like slackware on a corebooted thinkpad but ever since i was a kid with my first cable modem that blinking black box has always spooked me.
Routers are almost always propriety telcom supplied, a real PIA to impossible to get open firmware for. Its just obvious. If they (three letter et. al) are going to hack you they will start with your router.
Public wifi (using someones elses router temporarily) is the only way to counter this attack.
-K
Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs. Fuck Wikileaks for this one. Too bad they can't be held responsible when this gets exploited and causes real damage to innocent victims.
you seem to be forgetting that Wikileaks is in the entertainment business.
Good to see ubiquiti isn't on the list
Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online. While I certainly have no problem with this information eventually being made public, Wikileaks is dumping this information without regard to the consequences. To do otherwise seems unethical, not that Wikileaks cares about ethics any longer. It seems like they've become politically motivated of late rather than their original goal of providing transparency where there otherwise wouldn't be.
Big Brother would be so proud of you. Do you honestly think that prior notice will get some companies to fix what is a serious security issue.
Sometimes the best method of getting information across to Manufacturers is to just make it public. Yes it can hurt initially and some of the companies will have deservedly red faces but if better security is the result then I am all for it.
Looks like all the routers on the list are very old. This tool is outdated? Or just the list of routers?
I have perfect security. If my wife doesn't send me an S/MIME encrypted email we have a "serious discussion" at the dinner table where I lecture her about the NSA, foreign actors, and idiot slashdot shitfuckers.
Then I don't get laid.
Page 24...
"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."
Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?
*Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online*
well yes. but deploying this tool equaled to dumping the info online or not?
world was created 5 seconds before this post as it is.
http://appleinsider.com/articl...
Fucking idiot.
And because everyone does it, it's perfectly fine. The US drops bombs in other countries so it's fine for other countries to drop bombs in the US. Am I understanding you correctly?
Sounds like some obscure porn activity.
A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.
In the end I think most of these manufacturers should collaborate, fund and use a common community-driven firmware. Just slap a custom theme on an OpenWRT web GUI separate from the base firmware w/ some preinstalled packages and call it a day. With everyone throwing money and resources at OpenWRT, lighttpd, freecwmp, etc things could get a lot better.
The CIA, NSA and FBI could also inform manufacturers of these flaws, rather than request they remain, instead of weakening the security of this nation's network infrastructure by actively exploiting them for fun and profit.
A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.
I'd argue that the bigger problem is that companies producing consumer products don't take security design seriously. Notifying them and letting them patch before disclosure only serves to bolster a reactionary design culture, and won't help transform the industry into a proactive one.
Full zero-day disclosure may have a long term positive effect in that customers who get bit are likely to take their money elsewhere, punishing those who make vulnerable products, and giving new companies a boost.
This allows for evolutionary pressure, while responsible disclosure greatly reduces the pressure, and thus the evolution.
the routers listed are overwhelmingly American brands... I think I will stay with the Taiwanese brands of routers for now, and you should do the same if you care about your computer equipment.
Lets hope the absence of Netgear from the router list means my Netgear DGN2200M isn't vulnerable...
If you play by the rules but your adversaries don't, then you are at a disadvantage...
Yes the NSA/CIA have 0day exploits, but so do the intelligence agencies of russia, china, israel, north korea etc, and so do organised criminals. If the NSA gave up theirs, that would just make it easier for the others.
Also likely these tools leaked quite some time ago, and 802.11ac wasn't around yet. But even if such versions aren't listed, that doesn't mean the vulnerabilities aren't still present. If they weren't previously disclosed then the vendors are unlikely to have fixed them and the newer versions will often reuse a lot of the same code.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Check out Luxul routers. Not the cheapest but built on OpenWRT I've had a few now. Different models. All have been secure. And yes I've personally pen tested, and have had others pen test.
Why single out Apple? They had all of one device on the list, and it was mostly an add-on device for streaming music from your computer to your stereo rather than being a router.
Never mind the tens of Cisco and Linksys products listed. Hater gonna hate.
Snowden blew the whistle on NSA wrongdoing. This isn't wrongdoing, it's the toolset of a public security agency that wasn't using them to violate the law or the rights of the people it defends, and now can't use at all.
Sorry, but many Netgear routers can be unstable due to hardware issues. I have personally replaced three different Netgear devices in the last two months. For instance, cable modems based on Intel's Puma 6 chipset
What rules?
There are no rules on the Internet, this has been clear since day one and there really is no way that any rules can really be enforced.
"If the NSA gave up theirs, that would just make it easier for the others."
thats bullshit. because if the NSA gave up its zero days on products used predominantly in the USA then it would make it harder for the adversaries as those products would be more secure. The thing to recognize here is that these agencies are targeting products used predominantly in the united states as if they were trying to spy on their own citizens.
if the CIA/NSA were actually concerned about the security of the united states then they would be working with US manufacturers to make their products stronger while simultaneously looking and hording exploits for foreign manufacturers. Unfortunately they are not concerned with the security of the country but instead are after more and more power and control.
fighting fire with fire just burns down the whole forest.
So what if the CIA was using these tools to spy on the the British, the Germans, the French, the Chinese, the Russians, the Italians, the Greeks, the Spaniards, the ...
No one really lives in those countries and cares anyway, right? Or at least they do not matter. And telling those people that they are being spied on is just wrong. As inferior people, they should expect this. It is good for them.
While everyone collaborating on a single open source firmware may make sense in many ways there are still problems with this approach...
Some will contribute a lot while others will just leech off the community, this may anger those who do contribute and discourage them from doing so.
Inevitably there will be disagreements and you'll end up with incompatible forks.
Some vendors will introduce vulnerabilities not present in the core code, or produce devices which never get updated etc and damage the reputation of the underlying platform.
Other vendors will still produce their own proprietary firmwares but start advertising them as "secure" because they don't have as many vulnerabilities found as the dominant platform - either because their code really is better written, or more likely because its so niche that few people bother looking for holes.
If everyone runs the same software you get a monoculture, while there may be less vulnerabilities found each one will be far more severe due to the much larger number of affected users. No software will ever be perfect, so inevitably some holes will still be found.
The software will end up bloated trying to serve everyone's needs, and do so badly.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
In an ideal world noone would do it, but if everyone else is doing it then you have to do so too or else you fall behind.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Pamala had her cherry popped a long time ago.
The software will end up bloated trying to serve everyone's needs, and do so badly.
How many distinct "needs" do you need in a typical consumer router firmware? How many can't be taken be taken care of with external packages installed from repos?
Most router manufacturers are either shipping a slim VxWorks-based OS or are butchering OpenWRT already. There's nothing special about any of them. They all are typically based on similar reference designs that are bastardized just enough to be slightly different. They could just dump money and a couple developers to OpenWRT instead of killing support for routers after a couple years and their customer's equipment could be safer for a lot longer.
What they are doing now is broken. They are leaving everyone vulnerable in a short period of time. Most of them are basically using embedded Linux anyway. There already is a monoculture.
^ Does not know what fun and profit are.
The U.S. is becoming itself the evil axis because it did create the massive destruction weapons in the cyberworld.
what do we expect about it? Massively more victims from untrusted routers & computers.
I don't know, I would consider clandestinely destroying the 4th and 5th amendments to bolster my budget both fun and profitable. Creepy.... but fun.
Did a quick scan of the attached user manual and from the table of contents, alone, I'm skeptical of its authenticity...
If the (U) and (S) of items in the table of contents refer to (Unclassified) or (Secret) classifications, then the author of the document should have their security clearance revoked.
Whenever a document contains multiple classifications, the document as a whole is classified at the strictest level; for example, if you have a document that is comprised of all Unclassified material except for one sentence that is classified Secret, the entire document is classified Secret. Looking at the table of contents, this is violated heavily. If the individual components are referred to by their security clearance, the overarching chapters are often misclassified. Any chapter containing a subelement that is (S)ecret means the chapter, as a whole should be (S)ecret, but this isn't followed (particularly for chapters 11-13).
They want to be able to say you committed any crime whenever they need to. That's all. If you have to be guilty, they'll decide it.
Another day in 1984.
See subject: AMT/Intel Mgt. Engine uses ports 16992-16995 & I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system + be CERTAIN your router's internal ware is "solid" as well (turn off things like UPnP etc.) & check it HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/commen...
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not).
APK
P.S.=> Good luck - as it's the BEST DEFENSE vs. this threat by stopping it being able to communicate in/out period, outside of the INTEL chipset, & stopped external to it via a router/firewall hardware... apk
Russia's entire military budget is 1/11th of America's ~ $1 TRILLION per year.
Snowden leaked that the Black Budget is AT LEAST $72 billion per year.
America spends more on spying on its own people than Russia spends on defense against us!
America spends more on the military than the next top 10 Nation's military budgets COMBINED.
Snowden informs us that NSA spends $233 MILLION per year just on Academic Grants.
Bluffdale cost $4 BILLION.
NSA kicksbacks over $100 MILLION per year each to Google, and to Apple and to ATT and Verizon.
Does Russia or China or the espionage apparatuses of the entire rest of the World pay that much to enable systematic population scale mass surveillance by exploiting and backdooring on an industrial scale anything that can compute?
HELL NO!
You can take your shitty Crack Dealer's Moral Paradox** excuse "but muh everybody spies so we must do it too" and GO FUCK RIGHT OFF.
NSA are the most disgusting outrageous pinnacle of Tyranny in all of human history, and frankly if Ft Meade got nuked tomorrow morning at 9:31am I would CHEER.
**Crack Dealer's Moral Paradox: "if I wasn't out in these here streets slanging drugs, then it would be some other nigga doing it, therefore I am absolved of any responsibilities for my own immoral actions to cynically get dat paper without regard for the existential destruction which I directly inflict upon my own community"
https://www.documentcloud.org/documents/3031640-05-Introduction-to-WLAN-CNE-Operations-Redacted.html
https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/
Did not one of you nerds read Sam Biddle's leak of Snowden doc back in August 2016?
NSA BADDECISION is some kind of low level radio protocol exploit against all WiFi.
WPA2 included.
NSA SECONDDATE is when they mount BADDECISION on a prop plane. Prrsumably to record and infect all WiFi city-wide.
SECONDDATE is also described in the TAO ANT Catalogue.
In those slides it says NSA's weapon of choice to hack sysadmins is SECONDDATE. They hacked Syria's National telecom in 2006 by infecting their core backbone peer exchange. NSA had such detailed maps of the data center, they even had the names of the sysadmins on their chairs!
What is remarkable about CHERRYBLOSSOM is that apparently CIA is not trusted to get BADDECISION, i stead they get hand me downs of shitty firmware update exploits.
I can't believe they didn't just use QUANTUMINSERT which would be infinitely easier to pwn all routers which download their formware update via http.
Worst of all, Sam Biddle leaked those Snowden docs but never even mentioned the WiFi mass exploitation. He didn't read them! And nobody who read his article read the damned pdfs either!
We're all being led off the cliff by lemmings. Security and Infosec "experts" are asleep at the wheel. Cash your 6 figure paycheck, don't rock the boat, go along with the illusion of security because hey, NSA has already hacked everything anyways, so really we're all sleeping on their secure cushion and powerless to effect change ourselves, so why not just go with the flow?
Enjoy your LARPfest at Deaf-cons, tell folks you're a White Hat Ethical Hacker, get drunk in the Penthouse party on the $MegaCorp dime, and maybe even fuck a stripper in the Champagne room.
It doesn't matter because it's all fake security anyways.