CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models

An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.

Can this infect 3rd party firmware?

For example Tomato, DD-WRT, OpenWRT, and all the variants that are so popular on commodity hardware.

Re:Can this infect 3rd party firmware?

[hashish]

Did you actually read the article?
They are replacing the existing firmware with a new version with 'extra' functionality.
The people who would not notice are the ones who would use the system out of the box and would not notice a hard reset. I am guessing a custom firmware users would notice.

Re: Thanks wikileaks you are really helping

The Government spy agencies shouldn't be creating f...ing malware/trojans.. Cause this will happen every time. Information wants to be free. This also seems to be is old equipment models. They don't even have 802.11ac equipment listed? Oh wait, the CIA has updated attack tools that hasn't been stolen....yet.

Re: Thanks wikileaks you are really helping

[king+neckbeard]

There's plenty of debate on what constitutes responsible disclosure of vulnerabilities, but this document appears to only explain how the tool is used, not including the tool itself, so that isn't even the conversation to be having.. Your argument seems more applicable to The Shadow Brokers.

What this leak would seem to do would be to correct the mistake the CIA made by failing to disclose vulnerabilities to vendors so they could use it themselves. Pretty much the only way to criticize Wikileaks here is to claim that the CIA are the good guys, which doesn't really jibe with the entire history of the CIA, especially for the /. crowd.

its a MITM replacement of firmware

[johnjones]

So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?

This is pretty basic exploit and pretty basic check for the router manufacturers...

 

so about that CFAA...

This is certainly "unauthorized access to a computer system". So we're going to see people going to prison for this, right? Like I would, if I did something like that? ..... right?

Re:so about that CFAA...

[NewtonsLaw]

You forget... there are two sets of rules:

One for those who *make* the rules

Another for the rest of us.

Governments can murder, steal, defame and generally do many things that, as individuals, we would be prosecuted and perhaps even forfeit our lives for.

And who says that power doesn't corrupt?

Re:DD-WRT

[skids]

Read further in that section:

Prerequisites:
  client computer with ethernet interface and firmware file
  ethernet cable
  device LAN IP address (referred to below as )
  device web interface password

They have an embedded agent for most common hardware models and kernels (and a "CB Manual" possibly for custom building the agent.)
No surprise... once you have code you can manage to graft it into almost anything.

However, unlike lots of the other entries, no tool to crack it in the first place... they'd have to have physical access, or an exploit tool not covered in this document.

"At least in the US"

[WaffleMonster]

Page 24...

"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."

Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?

Re:Thanks wikileaks you are really helping

[ogdenk]

A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.

Re:Thanks wikileaks you are really helping

[arth1]

I'd argue that the bigger problem is that companies producing consumer products don't take security design seriously. Notifying them and letting them patch before disclosure only serves to bolster a reactionary design culture, and won't help transform the industry into a proactive one.

Full zero-day disclosure may have a long term positive effect in that customers who get bit are likely to take their money elsewhere, punishing those who make vulnerable products, and giving new companies a boost.
This allows for evolutionary pressure, while responsible disclosure greatly reduces the pressure, and thus the evolution.

Good. No Netgear.

[jonwil]

Lets hope the absence of Netgear from the router list means my Netgear DGN2200M isn't vulnerable...

Re:Thanks wikileaks you are really helping

[Highdude702]

Check out Luxul routers. Not the cheapest but built on OpenWRT I've had a few now. Different models. All have been secure. And yes I've personally pen tested, and have had others pen test.