CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models (bleepingcomputer.com) 107
An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.
Two words: Reasonable Doubt (Score:1)
Defense attorneys must be salivating at this news, right? The fact that so many different router models are exploitable just screams "reasonable doubt." Hundreds of different models of routers are affected. If the CIA could find and exploit these vulnerabilities, so could other people. Anyone being charged with a computer crime that doesn't have a physical nexus (e.g. DPR getting fake passports in the mail) should point to this information and say see, my router was hackable, anyone in the world could have
Can this infect 3rd party firmware? (Score:3, Interesting)
For example Tomato, DD-WRT, OpenWRT, and all the variants that are so popular on commodity hardware.
Re:Can this infect 3rd party firmware? (Score:5, Informative)
Did you actually read the article?
They are replacing the existing firmware with a new version with 'extra' functionality.
The people who would not notice are the ones who would use the system out of the box and would not notice a hard reset. I am guessing a custom firmware users would notice.
Re: (Score:2)
Honestly, I probably wouldn't unless they did it badly. If there was a hard reset I would assume a power issue while I wasn't looking. If they didn't change the function or the admin interface, I probably wouldn't now that my Tomato had been replaced with CherryTomato.
Re: (Score:2)
CherryTomato.
Don't give them any ideas!
Re: (Score:2)
Re: (Score:2)
The "supported" model list makes it look like they are only targeting default OEM loads. Which makes sense since that's what most people run.
Re: (Score:2)
I compile my own TomatoUSB based on Toastman source, also I can only access it from intranet via ssh. I check my log from time to time to see if there is any anomaly too.
DD-WRT (Score:2)
I didn't see anything about DD-WRT flashed routers in the manual.
So maybe I'm good.
Re: (Score:2)
Re: (Score:1)
Mate, they are especially interested in neckbeards. We've known about XkeyScore for some time. It's job is to flag users for enhanced monitoring. Amongst it's targets are terrorists, political extremists, system administrators, Linux users, VPN users, and readers of sites like slashdot.
Re: (Score:2)
What makes you think VPN providers haven't been compromised?
Re: (Score:2)
You assume that they need to break the encryption...
They could attempt to hack the VPN provider, clearly they have access to plenty of undisclosed vulnerabilities and have skilled people working for them so this isn't outside the realms of possibility.
If the VPN provider is under their jurisdiction, or that of their allies, they could demand access.
They could demand access to payment details for the VPN provider, and correlate this data with others to build up profiles of people's identities.
Plenty of attac
Re: (Score:2)
Re:DD-WRT (Score:5, Insightful)
Read further in that section:
Prerequisites:
client computer with ethernet interface and firmware file
ethernet cable
device LAN IP address (referred to below as )
device web interface password
They have an embedded agent for most common hardware models and kernels (and a "CB Manual" possibly for custom building the agent.)
No surprise... once you have code you can manage to graft it into almost anything.
However, unlike lots of the other entries, no tool to crack it in the first place... they'd have to have physical access, or an exploit tool not covered in this document.
Re: (Score:2)
its a MITM replacement of firmware (Score:3, Insightful)
So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?
This is pretty basic exploit and pretty basic check for the router manufacturers...
pfSesnse (Score:2)
Been using pfSense for years now, glad to know the FreeBSD life style is still holding up better than commercial consumer bullshit!
Plug and play vs long password? (Score:2)
FlyTrap then connects to CherryTree.
Mission then sends down the tasks to the device.
CherryWeb is the GUI that looks over the new network.
Windex alters the computers browsers i.e. malware.
A copy of networked data via a new VPN.
Years of access.
so about that CFAA... (Score:2, Insightful)
This is certainly "unauthorized access to a computer system". So we're going to see people going to prison for this, right? Like I would, if I did something like that? ..... right?
Re: (Score:3)
You forget... there are two sets of rules:
One for those who *make* the rules
Another for the rest of us.
Governments can murder, steal, defame and generally do many things that, as individuals, we would be prosecuted and perhaps even forfeit our lives for.
And who says that power doesn't corrupt?
Phew (Score:1)
Good to see ubiquiti isn't on the list
"At least in the US" (Score:5, Insightful)
Page 24...
"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."
Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?
Re: (Score:1)
The CIA is forbidden from operating in the US. So much for rules and laws.
Re: (Score:2)
The CIA is forbidden from operating in the US. So much for rules and laws.
Yep. They have dirt on you and everyone else, too. It doesn't even have to be dirt, but just data, which can be misconstrued to frame any person quite readily, for just about any kind of claimed legal transgression.
The innocent should be just as afraid as the guilty.
If this snooped-upon group of Americans includes members of the House and Senate, who make the laws controlling the CIA, then they have your government by the balls, and there is nothing anyone can (safely) do about it.
Ignorance is freedom.
Re: (Score:2)
"Cherry Blossom"?? (Score:2)
Sounds like some obscure porn activity.
Good. No Netgear. (Score:3)
Lets hope the absence of Netgear from the router list means my Netgear DGN2200M isn't vulnerable...
Re: (Score:2)
Oh well, in a couple of months the NBN will be hitting my area (apparently) and I will need a new router that is compatible with the VDSL2 FTTN gear. Then I can buy one that doesn't suck and put open source firmware on it that sucks even less :)
Why was this leak worthy? (Score:2)
Snowden blew the whistle on NSA wrongdoing. This isn't wrongdoing, it's the toolset of a public security agency that wasn't using them to violate th
Questionable documentation... (Score:1)
If the (U) and (S) of items in the table of contents refer to (Unclassified) or (Secret) classifications, then the author of the document should have their security clearance revoked.
Whenever a document contains multiple classifications, the document as a whole is classified at the strictest level; for example, if you have a document that is comprised of all Unclassified material ex
Re: (Score:1)
Re: (Score:2, Interesting)
The Government spy agencies shouldn't be creating f...ing malware/trojans.. Cause this will happen every time. Information wants to be free. This also seems to be is old equipment models. They don't even have 802.11ac equipment listed? Oh wait, the CIA has updated attack tools that hasn't been stolen....yet.
Re: (Score:2, Insightful)
If you play by the rules but your adversaries don't, then you are at a disadvantage...
Yes the NSA/CIA have 0day exploits, but so do the intelligence agencies of russia, china, israel, north korea etc, and so do organised criminals. If the NSA gave up theirs, that would just make it easier for the others.
Also likely these tools leaked quite some time ago, and 802.11ac wasn't around yet. But even if such versions aren't listed, that doesn't mean the vulnerabilities aren't still present. If they weren't previo
Re: (Score:3)
There's plenty of debate on what constitutes responsible disclosure of vulnerabilities, but this document appears to only explain how the tool is used, not including the tool itself, so that isn't even the conversation to be having.. Your argument seems more applicable to The Shadow Brokers.
What this leak would seem to do would be to correct the mistake the CIA made by failing to disclose vulnerabilities to vendors so they could use it themselves. Pretty much the only way to criticize Wikileaks here is
Re: (Score:2)
*Perhaps the ethical thing to do would be to inform the manufacturers and give them reasonable notice prior to simply dumping the information online*
well yes. but deploying this tool equaled to dumping the info online or not?
Re: (Score:1)
Wikileaks could have informed the manufacturers first, giving them time to create patches before it's leaked to the interwebs.
That's bullshit. The manufacturers are well aware of the flaws being exploited, and it is just as plausible they left them open on 'request'.
Re: (Score:2)
The CIA, NSA and FBI could also inform manufacturers of these flaws, rather than request they remain, instead of weakening the security of this nation's network infrastructure by actively exploiting them for fun and profit.
Re: Thanks wikileaks you are really helping (Score:1)
Re: (Score:2)
I don't know, I would consider clandestinely destroying the 4th and 5th amendments to bolster my budget both fun and profitable. Creepy.... but fun.
Re:Thanks wikileaks you are really helping (Score:4, Insightful)
A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.
Re: (Score:3)
I'd argue that the bigger problem is that companies producing consumer products don't take security design seriously. Notifying them and letting them patch before disclosure only serves to bolster a reactionary design culture, and won't help transform the industry into a proactive one.
Full zero-day disclosure may have a long term positive effect in that customers who get bit are likely to take their money elsewhere, punishing those who make vulnerable products, and giving new companies a boost.
This allows
Re: (Score:2)
A small vulnerability in a $50 consumer grade router that only results in a small number of users getting hit, most of which will never know they were pwned anyway, will not usually result in a massive effort to patch the flaws. Only after it is exploited on a wide scale and public attention and/or lawsuits brought will the beancounters think it's economically worth doing.
In the end I think most of these manufacturers should collaborate, fund and use a common community-driven firmware. Just slap a custom
Re: (Score:3)
Check out Luxul routers. Not the cheapest but built on OpenWRT I've had a few now. Different models. All have been secure. And yes I've personally pen tested, and have had others pen test.
Re: (Score:2)
While everyone collaborating on a single open source firmware may make sense in many ways there are still problems with this approach...
Some will contribute a lot while others will just leech off the community, this may anger those who do contribute and discourage them from doing so.
Inevitably there will be disagreements and you'll end up with incompatible forks.
Some vendors will introduce vulnerabilities not present in the core code, or produce devices which never get updated etc and damage the reputation
Re: Fuck off america (Score:1)
There is every reason to believe that intelligence agencies in other countries do the same things. Is there ANY reason to doubt that intelligence agencies in the UK, Germany, China, Russia, and other countries aren't doing the same things? Of course they're doing the same things! A lot of the world would be hypocrites to complain about this. Those governments and plenty of others are just as interested in spying as the US government is. You just wanted to post some flamebait, so congratulations on making a
Re: (Score:2)
In an ideal world noone would do it, but if everyone else is doing it then you have to do so too or else you fall behind.