CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models

An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.

its a MITM replacement of firmware

[johnjones]

So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?

This is pretty basic exploit and pretty basic check for the router manufacturers...

 

so about that CFAA...

This is certainly "unauthorized access to a computer system". So we're going to see people going to prison for this, right? Like I would, if I did something like that? ..... right?

Re:DD-WRT

[skids]

Read further in that section:

Prerequisites:
  client computer with ethernet interface and firmware file
  ethernet cable
  device LAN IP address (referred to below as )
  device web interface password

They have an embedded agent for most common hardware models and kernels (and a "CB Manual" possibly for custom building the agent.)
No surprise... once you have code you can manage to graft it into almost anything.

However, unlike lots of the other entries, no tool to crack it in the first place... they'd have to have physical access, or an exploit tool not covered in this document.

"At least in the US"

[WaffleMonster]

Page 24...

"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."

Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?

Re:Thanks wikileaks you are really helping

[ogdenk]

A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.

Re: Thanks wikileaks you are really helping

[Bert64]

If you play by the rules but your adversaries don't, then you are at a disadvantage...

Yes the NSA/CIA have 0day exploits, but so do the intelligence agencies of russia, china, israel, north korea etc, and so do organised criminals. If the NSA gave up theirs, that would just make it easier for the others.

Also likely these tools leaked quite some time ago, and 802.11ac wasn't around yet. But even if such versions aren't listed, that doesn't mean the vulnerabilities aren't still present. If they weren't previously disclosed then the vendors are unlikely to have fixed them and the newer versions will often reuse a lot of the same code.