CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models

An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.

When Apple is more than a fruit.

After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models.

Wow! This is one cherry I wouldn't want to pop.

Re: When Apple is more than a fruit.

Why single out Apple? They had all of one device on the list, and it was mostly an add-on device for streaming music from your computer to your stereo rather than being a router.

Never mind the tens of Cisco and Linksys products listed. Hater gonna hate.

Re:When Apple is more than a fruit.

Pamala had her cherry popped a long time ago.

Thanks wikileaks you are really helping

Thanks wikileaks you are really helping to write malware and infect many computers. North Korea and the Russian hackers owe you again. Please keep the good flow of illegal stolen information flowing.

Re:Thanks wikileaks you are really helping

[rdelsambuco]

Bullshit.

Re: Thanks wikileaks you are really helping

Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online. While I certainly have no problem with this information eventually being made public, Wikileaks is dumping this information without regard to the consequences. To do otherwise seems unethical, not that Wikileaks cares about ethics any longer. It seems like they've become politically motivated of late rather than their original goal of providing transparency where there otherwise wouldn't be.

Re:Thanks wikileaks you are really helping

Exposing security weakness to the public helps gets them fixed, which improves security.

Re:Thanks wikileaks you are really helping

Seems to me serious spooks of many nations have already built similar tools for themselves.

Re:Thanks wikileaks you are really helping

This is really an issue with the US subverting the companies that pay for it to fund such activities. In all reality, we should be handing zero days over to make things more secure, not hoarding them, thereby making them less secure. What's worse is that every zero day we have, someone else could have, and there's no way of us knowing about it. All we're doing is endangering the IP of the legitimate businesses and citizens of the US by keeping these zero days private.

"Make the world more secure, by ensuring it's less secure" should be our motto, at least then it'd be blatantly obvious we don't give a fuck about actually securing anything (not that it isn't already).

Re: Thanks wikileaks you are really helping

The Government spy agencies shouldn't be creating f...ing malware/trojans.. Cause this will happen every time. Information wants to be free. This also seems to be is old equipment models. They don't even have 802.11ac equipment listed? Oh wait, the CIA has updated attack tools that hasn't been stolen....yet.

Re:Thanks wikileaks you are really helping

If you bothered to read, they dumped the manuals, not the tools.

Re: Thanks wikileaks you are really helping

[king+neckbeard]

There's plenty of debate on what constitutes responsible disclosure of vulnerabilities, but this document appears to only explain how the tool is used, not including the tool itself, so that isn't even the conversation to be having.. Your argument seems more applicable to The Shadow Brokers.

What this leak would seem to do would be to correct the mistake the CIA made by failing to disclose vulnerabilities to vendors so they could use it themselves. Pretty much the only way to criticize Wikileaks here is to claim that the CIA are the good guys, which doesn't really jibe with the entire history of the CIA, especially for the /. crowd.

Re:Thanks wikileaks you are really helping

"Exposing security weakness to the public helps gets them fixed, which improves security."

Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs. Fuck Wikileaks for this one. Too bad they can't be held responsible when this gets exploited and causes real damage to innocent victims.

Re:Thanks wikileaks you are really helping

do you suffer cerebral palsy? they didn't wrote the damn thing

Re:Thanks wikileaks you are really helping

parent: "do you suffer cerebral palsy?"

Why yes I do. Most people know me as Randy, but my friends call me "Spaz".

Re:Thanks wikileaks you are really helping

Yes, a VERY big thanks to WL actually. Without documents like these coming to light your privacy erodes MUCH quicker thanks to the likes of "Scaryisms".
TLA's and poli's want backdoors to everything but they can't even keep THEIR shit together. What security do YOU have?

Also, fuck you

Re:Thanks wikileaks you are really helping

[fustakrakich]

Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs.

That's bullshit. The manufacturers are well aware of the flaws being exploited, and it is just as plausible they left them open on 'request'.

Re:Thanks wikileaks you are really helping

Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs. Fuck Wikileaks for this one. Too bad they can't be held responsible when this gets exploited and causes real damage to innocent victims.

you seem to be forgetting that Wikileaks is in the entertainment business.

Re: Thanks wikileaks you are really helping

Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online. While I certainly have no problem with this information eventually being made public, Wikileaks is dumping this information without regard to the consequences. To do otherwise seems unethical, not that Wikileaks cares about ethics any longer. It seems like they've become politically motivated of late rather than their original goal of providing transparency where there otherwise wouldn't be.

Big Brother would be so proud of you. Do you honestly think that prior notice will get some companies to fix what is a serious security issue.

Sometimes the best method of getting information across to Manufacturers is to just make it public. Yes it can hurt initially and some of the companies will have deservedly red faces but if better security is the result then I am all for it.

Re: Thanks wikileaks you are really helping

I have perfect security. If my wife doesn't send me an S/MIME encrypted email we have a "serious discussion" at the dinner table where I lecture her about the NSA, foreign actors, and idiot slashdot shitfuckers.

Then I don't get laid.

Re: Thanks wikileaks you are really helping

[gl4ss]

*Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online*

well yes. but deploying this tool equaled to dumping the info online or not?

Re: Thanks wikileaks you are really helping

Fucking idiot.

Re:Thanks wikileaks you are really helping

[ogdenk]

A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.

In the end I think most of these manufacturers should collaborate, fund and use a common community-driven firmware. Just slap a custom theme on an OpenWRT web GUI separate from the base firmware w/ some preinstalled packages and call it a day. With everyone throwing money and resources at OpenWRT, lighttpd, freecwmp, etc things could get a lot better.

Re:Thanks wikileaks you are really helping

[ogdenk]

The CIA, NSA and FBI could also inform manufacturers of these flaws, rather than request they remain, instead of weakening the security of this nation's network infrastructure by actively exploiting them for fun and profit.

Re:Thanks wikileaks you are really helping

[ogdenk]

A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.

Re:Thanks wikileaks you are really helping

[arth1]

I'd argue that the bigger problem is that companies producing consumer products don't take security design seriously. Notifying them and letting them patch before disclosure only serves to bolster a reactionary design culture, and won't help transform the industry into a proactive one.

Full zero-day disclosure may have a long term positive effect in that customers who get bit are likely to take their money elsewhere, punishing those who make vulnerable products, and giving new companies a boost.
This allows for evolutionary pressure, while responsible disclosure greatly reduces the pressure, and thus the evolution.

Re: Thanks wikileaks you are really helping

[Bert64]

If you play by the rules but your adversaries don't, then you are at a disadvantage...

Yes the NSA/CIA have 0day exploits, but so do the intelligence agencies of russia, china, israel, north korea etc, and so do organised criminals. If the NSA gave up theirs, that would just make it easier for the others.

Also likely these tools leaked quite some time ago, and 802.11ac wasn't around yet. But even if such versions aren't listed, that doesn't mean the vulnerabilities aren't still present. If they weren't previously disclosed then the vendors are unlikely to have fixed them and the newer versions will often reuse a lot of the same code.

Re:Thanks wikileaks you are really helping

[Highdude702]

Check out Luxul routers. Not the cheapest but built on OpenWRT I've had a few now. Different models. All have been secure. And yes I've personally pen tested, and have had others pen test.

Re: Thanks wikileaks you are really helping

What rules?

There are no rules on the Internet, this has been clear since day one and there really is no way that any rules can really be enforced.

"If the NSA gave up theirs, that would just make it easier for the others."

thats bullshit. because if the NSA gave up its zero days on products used predominantly in the USA then it would make it harder for the adversaries as those products would be more secure. The thing to recognize here is that these agencies are targeting products used predominantly in the united states as if they were trying to spy on their own citizens.

if the CIA/NSA were actually concerned about the security of the united states then they would be working with US manufacturers to make their products stronger while simultaneously looking and hording exploits for foreign manufacturers. Unfortunately they are not concerned with the security of the country but instead are after more and more power and control.

  fighting fire with fire just burns down the whole forest.

Re:Thanks wikileaks you are really helping

[Bert64]

While everyone collaborating on a single open source firmware may make sense in many ways there are still problems with this approach...

Some will contribute a lot while others will just leech off the community, this may anger those who do contribute and discourage them from doing so.
Inevitably there will be disagreements and you'll end up with incompatible forks.
Some vendors will introduce vulnerabilities not present in the core code, or produce devices which never get updated etc and damage the reputation of the underlying platform.
Other vendors will still produce their own proprietary firmwares but start advertising them as "secure" because they don't have as many vulnerabilities found as the dominant platform - either because their code really is better written, or more likely because its so niche that few people bother looking for holes.
If everyone runs the same software you get a monoculture, while there may be less vulnerabilities found each one will be far more severe due to the much larger number of affected users. No software will ever be perfect, so inevitably some holes will still be found.
The software will end up bloated trying to serve everyone's needs, and do so badly.

Re:Thanks wikileaks you are really helping

The software will end up bloated trying to serve everyone's needs, and do so badly.

How many distinct "needs" do you need in a typical consumer router firmware? How many can't be taken be taken care of with external packages installed from repos?

Most router manufacturers are either shipping a slim VxWorks-based OS or are butchering OpenWRT already. There's nothing special about any of them. They all are typically based on similar reference designs that are bastardized just enough to be slightly different. They could just dump money and a couple developers to OpenWRT instead of killing support for routers after a couple years and their customer's equipment could be safer for a lot longer.

What they are doing now is broken. They are leaving everyone vulnerable in a short period of time. Most of them are basically using embedded Linux anyway. There already is a monoculture.

Re: Thanks wikileaks you are really helping

[Brockmire]

^ Does not know what fun and profit are.

Re: Thanks wikileaks you are really helping

[ogdenk]

I don't know, I would consider clandestinely destroying the 4th and 5th amendments to bolster my budget both fun and profitable. Creepy.... but fun.

Download link?

Can't be any worse than the factory firmware. Sounds full featured!

Two words: Reasonable Doubt

Defense attorneys must be salivating at this news, right? The fact that so many different router models are exploitable just screams "reasonable doubt." Hundreds of different models of routers are affected. If the CIA could find and exploit these vulnerabilities, so could other people. Anyone being charged with a computer crime that doesn't have a physical nexus (e.g. DPR getting fake passports in the mail) should point to this information and say see, my router was hackable, anyone in the world could have gotten into my network and launched that DDoS | committed credit card fraud | etc.

Re:Two words: Reasonable Doubt

They would all have the same implementation of TCP/IP. Some derivation from Berkeley or whatever. I worked for a company that took their TCP/IP stack, tried to patch as many memory leaks and bugs as possible, and put it on their range of routers. You just could not touch or modify that TCP/IP code base, because it contained source code that had passed through interop tests.

Fuck off america

Dear America, american citizens and agencies.

Please fuck off, and while you're at it, die.

Regards
Most of the rest of the world

Re: Fuck off america

There is every reason to believe that intelligence agencies in other countries do the same things. Is there ANY reason to doubt that intelligence agencies in the UK, Germany, China, Russia, and other countries aren't doing the same things? Of course they're doing the same things! A lot of the world would be hypocrites to complain about this. Those governments and plenty of others are just as interested in spying as the US government is. You just wanted to post some flamebait, so congratulations on making a post that exposes just what an idiotic asshole you are. The collateral damage from the spying is a huge problem when these exploits are leaked to the public and used by criminals for their benefit. If you had made that point, I'd have no problem with it. However, you've actually revealed yourself as a troll incapable of having a mature discussion.

Re: Fuck off america

And because everyone does it, it's perfectly fine. The US drops bombs in other countries so it's fine for other countries to drop bombs in the US. Am I understanding you correctly?

Re: Fuck off america

[Bert64]

In an ideal world noone would do it, but if everyone else is doing it then you have to do so too or else you fall behind.

Re: Fuck off america

Russia's entire military budget is 1/11th of America's ~ $1 TRILLION per year.

Snowden leaked that the Black Budget is AT LEAST $72 billion per year.

America spends more on spying on its own people than Russia spends on defense against us!

America spends more on the military than the next top 10 Nation's military budgets COMBINED.

Snowden informs us that NSA spends $233 MILLION per year just on Academic Grants.

Bluffdale cost $4 BILLION.

NSA kicksbacks over $100 MILLION per year each to Google, and to Apple and to ATT and Verizon.

Does Russia or China or the espionage apparatuses of the entire rest of the World pay that much to enable systematic population scale mass surveillance by exploiting and backdooring on an industrial scale anything that can compute?

HELL NO!

You can take your shitty Crack Dealer's Moral Paradox** excuse "but muh everybody spies so we must do it too" and GO FUCK RIGHT OFF.

NSA are the most disgusting outrageous pinnacle of Tyranny in all of human history, and frankly if Ft Meade got nuked tomorrow morning at 9:31am I would CHEER.

**Crack Dealer's Moral Paradox: "if I wasn't out in these here streets slanging drugs, then it would be some other nigga doing it, therefore I am absolved of any responsibilities for my own immoral actions to cynically get dat paper without regard for the existential destruction which I directly inflict upon my own community"

Can this infect 3rd party firmware?

For example Tomato, DD-WRT, OpenWRT, and all the variants that are so popular on commodity hardware.

Re:Can this infect 3rd party firmware?

No, you are completely safe. Open Source software never has any bugs. I'm sure the CIA/NSA have not looked into them at all. Put it out of your mind and rest easy friend.

Re:Can this infect 3rd party firmware?

[hashish]

Did you actually read the article?
They are replacing the existing firmware with a new version with 'extra' functionality.
The people who would not notice are the ones who would use the system out of the box and would not notice a hard reset. I am guessing a custom firmware users would notice.

Re:Can this infect 3rd party firmware?

[AHuxley]

AC think of it as a swap out. The device will still work and the user might not notice for a while.

Re:Can this infect 3rd party firmware?

[skids]

The "supported" model list makes it look like they are only targeting default OEM loads. Which makes sense since that's what most people run.

Re:Can this infect 3rd party firmware?

And the odds are very good that the average home user fails to change the default admin password.

Re:Can this infect 3rd party firmware?

[Frederic54]

I compile my own TomatoUSB based on Toastman source, also I can only access it from intranet via ssh. I check my log from time to time to see if there is any anomaly too.

Re:Can this infect 3rd party firmware?

Um...good for you? You're still relying on the security of your custom firmware and are still at the mercy of any hardware vulnerabilities. Just because a vulnerability isn't commonly known to exist, doesn't make you safe. You should be safeR though.

Re:Can this infect 3rd party firmware?

[Shatrat]

Honestly, I probably wouldn't unless they did it badly. If there was a hard reset I would assume a power issue while I wasn't looking. If they didn't change the function or the admin interface, I probably wouldn't now that my Tomato had been replaced with CherryTomato.

Re:Can this infect 3rd party firmware?

[WallyL]

CherryTomato.

Don't give them any ideas!

Worry about the ones not released

It isn't the ones Russia leaked (leaked in 7 (or more) dumps to Wikileaks, that Assange has been systematically unlocking for maximum press) it's the ones they decided not to leak.

These dumps are from a Russian hack of the CIA, their hackers keep the best stuff for themselves. So this "backdoor in everyones router" isn't the best stuff, they still have those.

What it does is give everyone a wakeup call to fix their security holes and not trust their network kit.

DD-WRT

[eric31415927]

I didn't see anything about DD-WRT flashed routers in the manual.
So maybe I'm good.

Re:DD-WRT

Yup, you're good. Put it out of your mind and rest easy, friend.

Re:DD-WRT

[WhoBeDaPlaya]

Been running only DD-WRT for the better part of a decade. Currently running DD-WRT x86, Hack this! ;)

Re:DD-WRT

The NSA/CIA probably aren't interested in some neckbeard's pornhub habits, so yes, you probably haven't been targeted. Surf on, captain, surf on

Re:DD-WRT

Page 173:
16.7 Firmware Upgrade Procedures: Linksys WRT54GL v1
fw ddwrt_v24_sp1_std_generic_10011

Re:DD-WRT

I wonder if they can haxyhax pfSense?

Re:DD-WRT

Mate, they are especially interested in neckbeards. We've known about XkeyScore for some time. It's job is to flag users for enhanced monitoring. Amongst it's targets are terrorists, political extremists, system administrators, Linux users, VPN users, and readers of sites like slashdot.

Re:DD-WRT

[AHuxley]

The "Claymore" part looks for routers that will be open to such efforts.

Re:DD-WRT

[skids]

Read further in that section:

Prerequisites:
  client computer with ethernet interface and firmware file
  ethernet cable
  device LAN IP address (referred to below as )
  device web interface password

They have an embedded agent for most common hardware models and kernels (and a "CB Manual" possibly for custom building the agent.)
No surprise... once you have code you can manage to graft it into almost anything.

However, unlike lots of the other entries, no tool to crack it in the first place... they'd have to have physical access, or an exploit tool not covered in this document.

Re:DD-WRT

Even an organization as large and well funded as the NSA probably cannot afford to or justify directly tapping all inputs and outputs of every single ISP in the country. No, it makes more sense for them to tap key backbone providers further up the chain. This means that VPN traffic is going to be mixed and multiplexed in with the traffic from millions of other users using the same networks. Even if you assume that they can successfully pick out individual sessions, those would still only go back as far as the public VPN exit servers. Finally, the traffic is still encrypted even if they can trace it back that far which means that (a) they don't know exactly where it truly originated from and (b) they don't know the content either. Now, can the NSA break the VPN encryption? Yeah probably, but that takes time and computing power, both of which are in limited supply. I very much doubt they're going to waste either trying to catch and decrypt the traffic of ordinary American or even foreign VPN users without some other evidence to indicate that it's worthwhile to spend the resources on doing it. Incidentally, this is why every American should use VPN for everything. If everyone used VPN it would be even harder for them to separate the wheat from the chaff, thereby decreasing still further the likelihood that they will bother with dragnet surveillance of the public Internet.

Re:DD-WRT

Most ppl using these commercial routers are not going to log into the router and make significant changes. As long as it works they are not going do much with it... if its a wifi router make sure the SSID is the same (can easily be sniffed).

Bottom line this is a hands on hack, not remote, and they are relying on a hands off owner.

Re:DD-WRT

[StikyPad]

What makes you think VPN providers haven't been compromised?

Re:DD-WRT

[Bert64]

You assume that they need to break the encryption...
They could attempt to hack the VPN provider, clearly they have access to plenty of undisclosed vulnerabilities and have skilled people working for them so this isn't outside the realms of possibility.
If the VPN provider is under their jurisdiction, or that of their allies, they could demand access.
They could demand access to payment details for the VPN provider, and correlate this data with others to build up profiles of people's identities.
Plenty of attacks are possible...

Re:DD-WRT

[AHuxley]

AC XKeyscore will help find the VPN users. https://en.wikipedia.org/wiki/...

Re: DD-WRT

PFsense just started shipping to Russia this past year.

That makes them a target too. NSA can wholy justify backdooring PFsense on the assembly line, and via CORESECRETS mole sysadmins and by giving PFsense's General Counsel an NSL gag order ordering them to comply with "extra security evaluation advice from NSA."

And by security evaluation I mean NSA backdoors PFsense for their own spying so that nobody else can.
NOBUS == Nobody But Us.

Herr Admiral Will Not Be Pleased

Admiral Mikey The Navy Man (NSA) is under fire as it is, NOW THIS!

NSA creates code as this, not CIA; they (CIA) are chump change.

The CIA is run by the State Department.

Likely Obama Sandinista are unhappy and are trying to undercut Tillerson and wreak Trump.

Well boys, having THIS code out is a very good thing!

Thanks To Wikileaks!

its a MITM replacement of firmware

[johnjones]

So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?

This is pretty basic exploit and pretty basic check for the router manufacturers...

 

Re:its a MITM replacement of firmware

the CIA

Nuff said.

simply checked the firmware signature

....*sigh*.... "That's a nice firmware signing process you have there, you'll use this key if you want to live through the day."

Signatures are crap for security. The only useful things that they do is prevent the device owner from messing with the code, and being a useful tool for smoking out those few with the skills needed to break though anyway. Of course that definition of "usefulness" may not be so useful if you're not an alphabet soup agency.

Do go ahead and believe otherwise though, most people seem to do so, as they like living in ignorance / arrogance.

This is pretty basic exploit and pretty basic check for the router manufacturers...

It's not an "exploit" unless the code is there to be taken advantage of. "Features" that do not exist do not qualify as an "exploit".

As for the "basic" check, that "basic" has been abused multiple times in the past, (Go ask any video game hardware manufacturer from Japan, I'll wait.), and as I've already said: It's not a secure process. That is unless you think that an auto-updating device locked to a specific key will never have that key compromised or betray your trust in the entirety of the time that you use it, or that if it does so you'll find out about it before shit hits the fan. TL;DR it's not just whether or not you trust the manufacturer at the time of purchase, it's whether or not you trust them for the lifetime of the device. A status that can change with a millisecond's notice.

And no, just because "It makes it less likely for Joe DumbAss, to brick or infect his device" doesn't cut it. Why? Because it's for Joe DumbAss's convenience that ALL OF US have to suffer the consequences of being forced to trust a third party. That OUTWEIGHS the benefit of his "protection" because it makes us ALL less safe. There is a saying that "your right to swing your fist, ends at my nose." So why should Joe DumbAss's convenience overrule ALL of society's right to control their devices? Just because Joe DumbAss couldn't give less of a fuck about protecting himself online, doesn't mean the rest of society should be forced to accept his level of security (or lack thereof) as the norm.

Re:its a MITM replacement of firmware

key roll over and protection might not be easy but they are standard...

just use DANE and DNSsec for example to distribute keys...

requiring internet access to download an update your router shocking...

Re:its a MITM replacement of firmware

This is why custom firmwares are possible, for the most part, because they DON'T check signatures, or even sign them at all!
I worry that this will lead to increasingly more secure routers that will prevent custom installs.
On the other hand, it is also a good thing because less enslaving of routers by hackers at any level.

Not that it matters all too much, it is far better to make a custom router from scratch because you can add the features you want even more so than custom firmwares can.
It will be more costly, but it will also last you a long ass time since it is modular and easily upgraded to new specs as they come out.
Something like a micro or mini computer build with a network card with 2 ports and some antennae.
You can make these things with Raspberry Pis (usually referred to PiHoles for their DNS-blocking uses and ad-blocking)

pfSesnse

[darkain]

Been using pfSense for years now, glad to know the FreeBSD life style is still holding up better than commercial consumer bullshit!

Re:pfSesnse

pfSense probably isnt infallible but I'd hope it sets the bar much higher.

Plug and play vs long password?

[AHuxley]

A long new password won't help the device.
FlyTrap then connects to CherryTree.
Mission then sends down the tasks to the device.
CherryWeb is the GUI that looks over the new network.
Windex alters the computers browsers i.e. malware.
A copy of networked data via a new VPN.
Years of access.

so about that CFAA...

This is certainly "unauthorized access to a computer system". So we're going to see people going to prison for this, right? Like I would, if I did something like that? ..... right?

Re:so about that CFAA...

[NewtonsLaw]

You forget... there are two sets of rules:

One for those who *make* the rules

Another for the rest of us.

Governments can murder, steal, defame and generally do many things that, as individuals, we would be prosecuted and perhaps even forfeit our lives for.

And who says that power doesn't corrupt?

SRI -

Stanford Research Institute. Reading about what this "non-profit" does, and has done in the past for the government, is actually more interesting than the Cherry Blossom project they created. Oh, and the CNB (?) wanted SRI to use Fedora 14 for the CB platform, which, once again, reaffirms that the Red Hat product is the preferred OS of the Deep State. Freedom and privacy loving Red Hat sw devs must be so proud.

Obligatory:Intel CPU Backdoor Report (May 5 2017)

The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software

1. Introduction, what is Intel ME

Short version, from Intel staff:

Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AM

The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.

Long version:

ME: Management Engine

The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.

The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or

OBVIOUS: ROUTERS ARE THE PRIME VECTOR

You can have a high degree of local machine security running something like slackware on a corebooted thinkpad but ever since i was a kid with my first cable modem that blinking black box has always spooked me.

Routers are almost always propriety telcom supplied, a real PIA to impossible to get open firmware for. Its just obvious. If they (three letter et. al) are going to hack you they will start with your router.

Public wifi (using someones elses router temporarily) is the only way to counter this attack.

-K

Phew

Good to see ubiquiti isn't on the list

Re:Phew

Ubiquiti is so full of security holes, they didn't need a special tool ^.^

Outdated....

Looks like all the routers on the list are very old. This tool is outdated? Or just the list of routers?

"At least in the US"

[WaffleMonster]

Page 24...

"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."

Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?

Re:"At least in the US"

The CIA is forbidden from operating in the US. So much for rules and laws.

Re:"At least in the US"

[Sir+Holo]

The CIA is forbidden from operating in the US. So much for rules and laws.

Yep. They have dirt on you and everyone else, too. It doesn't even have to be dirt, but just data, which can be misconstrued to frame any person quite readily, for just about any kind of claimed legal transgression.

The innocent should be just as afraid as the guilty.

If this snooped-upon group of Americans includes members of the House and Senate, who make the laws controlling the CIA, then they have your government by the balls, and there is nothing anyone can (safely) do about it.

Ignorance is freedom.

Re:"At least in the US"

[AHuxley]

AC read up on Operation CHAOS and operating in the US. https://en.wikipedia.org/wiki/...

Apple not affected

http://appleinsider.com/articl...

Re:Apple not affected

And how the fuck would Apple know... the malware wasn't released, just the documentation. This is just shit reporting and Apple's PR department doing damage control. Fuck US press!

"Cherry Blossom"??

[pablo_max]

Sounds like some obscure porn activity.

Another lesson to stay away from U.S. brands

the routers listed are overwhelmingly American brands... I think I will stay with the Taiwanese brands of routers for now, and you should do the same if you care about your computer equipment.

Good. No Netgear.

[jonwil]

Lets hope the absence of Netgear from the router list means my Netgear DGN2200M isn't vulnerable...

Re:Good. No Netgear.

They don't need to target Netgear because the goddamn firmware doesn't work properly in the first place.

Re:Good. No Netgear.

The Chinese already had that hacked - no reason to duplicate effort.

Re:Good. No Netgear.

The presence of the list of wireless routing devices is confused at best and disinformation at worst. It is just a context-free list of devices with capabilities (e.g., supports wireless B, G with GPL'd code). If you look at the manual you will find that netgear and linksys are both owned.

Re:Good. No Netgear.

The presence of the list of wireless routing devices is confused at best and disinformation at worst. It is just a context-free list of devices with capabilities (e.g., supports wireless B, G with GPL'd code). If you look at the manual you will find that netgear and linksys are both owned.

There's a link in the article to a wikileaks pdf with the model number, description and more. It's not even at the end. https://wikileaks.org/vault7/document/WiFi_Devices/WiFi_Devices.pdf

Re:Good. No Netgear.

[jonwil]

Oh well, in a couple of months the NBN will be hitting my area (apparently) and I will need a new router that is compatible with the VDSL2 FTTN gear. Then I can buy one that doesn't suck and put open source firmware on it that sucks even less :)

Why was this leak worthy?

[sabbede]

Was the CIA using it on routers in the US? That would be worth leaking - it would be a spy agency breaking all the rules to spy on Americans. I thought Wikileaks was for whistleblowers. Giving away the agency's secret tools isn't whistleblowing, it's treasonous. The public is not served by this. If anything, it puts the American people at a disadvantage.

Snowden blew the whistle on NSA wrongdoing. This isn't wrongdoing, it's the toolset of a public security agency that wasn't using them to violate the law or the rights of the people it defends, and now can't use at all.

Re:Why was this leak worthy?

Was the CIA using it on routers in the US? That would be worth leaking - it would be a spy agency breaking all the rules to spy on Americans.

Probably, yes. https://slashdot.org/comments.pl?sid=10746943&cid=54630901

Re:Why was this leak worthy?

Congratulations. You've achieved idiot rank. Note the models of the routers here. This is definitely to target Americans.

No Hope

Sorry, but many Netgear routers can be unstable due to hardware issues. I have personally replaced three different Netgear devices in the last two months. For instance, cable modems based on Intel's Puma 6 chipset

Yeah, because Wikileaks is based in the US, right?

So what if the CIA was using these tools to spy on the the British, the Germans, the French, the Chinese, the Russians, the Italians, the Greeks, the Spaniards, the ...
No one really lives in those countries and cares anyway, right? Or at least they do not matter. And telling those people that they are being spied on is just wrong. As inferior people, they should expect this. It is good for them.

All car has always a backdoor, the 3rd or 5th door

The U.S. is becoming itself the evil axis because it did create the massive destruction weapons in the cyberworld.

what do we expect about it? Massively more victims from untrusted routers & computers.

Questionable documentation...

[Timothy2.0]

Did a quick scan of the attached user manual and from the table of contents, alone, I'm skeptical of its authenticity...

If the (U) and (S) of items in the table of contents refer to (Unclassified) or (Secret) classifications, then the author of the document should have their security clearance revoked.

Whenever a document contains multiple classifications, the document as a whole is classified at the strictest level; for example, if you have a document that is comprised of all Unclassified material except for one sentence that is classified Secret, the entire document is classified Secret. Looking at the table of contents, this is violated heavily. If the individual components are referred to by their security clearance, the overarching chapters are often misclassified. Any chapter containing a subelement that is (S)ecret means the chapter, as a whole should be (S)ecret, but this isn't followed (particularly for chapters 11-13).

Wha can you do? And it's nice and legal

They want to be able to say you committed any crime whenever they need to. That's all. If you have to be guilty, they'll decide it.

Another day in 1984.

Router/modem based port filters SHOULD work

See subject: AMT/Intel Mgt. Engine uses ports 16992-16995 & I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system + be CERTAIN your router's internal ware is "solid" as well (turn off things like UPnP etc.) & check it HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/commen...

* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not).

APK

P.S.=> Good luck - as it's the BEST DEFENSE vs. this threat by stopping it being able to communicate in/out period, outside of the INTEL chipset, & stopped external to it via a router/firewall hardware... apk

NSA BADDECISION Hacks WPA2 LOL

https://www.documentcloud.org/documents/3031640-05-Introduction-to-WLAN-CNE-Operations-Redacted.html

https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/

Did not one of you nerds read Sam Biddle's leak of Snowden doc back in August 2016?

NSA BADDECISION is some kind of low level radio protocol exploit against all WiFi.

WPA2 included.

NSA SECONDDATE is when they mount BADDECISION on a prop plane. Prrsumably to record and infect all WiFi city-wide.

SECONDDATE is also described in the TAO ANT Catalogue.

In those slides it says NSA's weapon of choice to hack sysadmins is SECONDDATE. They hacked Syria's National telecom in 2006 by infecting their core backbone peer exchange. NSA had such detailed maps of the data center, they even had the names of the sysadmins on their chairs!

What is remarkable about CHERRYBLOSSOM is that apparently CIA is not trusted to get BADDECISION, i stead they get hand me downs of shitty firmware update exploits.

I can't believe they didn't just use QUANTUMINSERT which would be infinitely easier to pwn all routers which download their formware update via http.

Worst of all, Sam Biddle leaked those Snowden docs but never even mentioned the WiFi mass exploitation. He didn't read them! And nobody who read his article read the damned pdfs either!

We're all being led off the cliff by lemmings. Security and Infosec "experts" are asleep at the wheel. Cash your 6 figure paycheck, don't rock the boat, go along with the illusion of security because hey, NSA has already hacked everything anyways, so really we're all sleeping on their secure cushion and powerless to effect change ourselves, so why not just go with the flow?

Enjoy your LARPfest at Deaf-cons, tell folks you're a White Hat Ethical Hacker, get drunk in the Penthouse party on the $MegaCorp dime, and maybe even fuck a stripper in the Champagne room.

It doesn't matter because it's all fake security anyways.