CIA Exploits Against Wireless Routers

WikiLeaks has published CherryBlossom, the CIA's program to hack into wireless routers. The program is about a decade old.

Four good news articles. Five. And a list of vulnerable routers.

Posted on June 28, 2017 at 5:35 AM • 30 Comments

Comments

Dan HJune 28, 2017 6:51 AM

Don't forget when you begin your replies about the "evil" US CIA and NSA that China, Russia, North Korea, Iran, and a host of other countries, without great human rights records are doing the same thing.

Another KevinJune 28, 2017 6:57 AM

'Tomato' is an unfortunate code name for one of the exploit packages, when it's also the name of a popular distribution of after-market firmware for the very same routers. At least I presume there's no connection, or else I hacked myself years ago while attempting to achieve better security for my home network!

JennyJune 28, 2017 7:54 AM

All these CIA leaks makes me wonder if they are deliberate.

The Americans may be concerned about Trump and Russian meddling in their elections, and what a better way to make people take security seriously, than leaking the vulnerabilities yourself.

CU AnonJune 28, 2017 8:22 AM

DAN H :

    Don't forget when you begin your replies about the "evil" US CIA and NSA that China, Russia, North Korea, Iran, and a host of other countries...

Are you saying the US belongs in the 'evil' countries list?

BJune 28, 2017 9:47 AM

If the CIA was not doing this we should fire everyone in the division and hire competent intelligence professionals. All nation states engage in this type of behavior so I am not sure what the point of the disclosure is - should we be shocked that the US is pretty good at this stuff? Shocked that it was disclosed? To me the only shocking thing would be if the CIA was not a leader in this field.

Or, is the point that it is immoral for foreign intelligence agencies to exploit vulnerabilities to carry out their mission (you know, spying)? Or that it is only immoral when the CIA does it but not when MSS or GRU or MI5 or BND or RGB do these exact same things?

Or is it that foreign intelligence is itself immoral, and we should shut down the CIA and encourage all other nations to shutter their foreign intelligence agencies so we can bask in new world order of safety?

JG4June 28, 2017 10:19 AM


The objection is not that the CIA is doing this to people outside the US. That clearly is their jurisdiction. The objection is that the CIA, with the assistance of others, are trampling the 4th amendment inside the US and that their approach puts at risk a large cross-section of global infrastructure. I've probably said before that with appropriate safeguards, some of the surveillance is a good idea. Snowden proved that we are light-years from appropriate safeguards. If mass casualties result from their approach of blocking good security practices, that will be further proof.


PeteJune 28, 2017 11:01 AM

If you care at all about home network security, don't run a home router. The vendors simply don't patch them quickly enough or often enough to be useful.

Quarterly patching just isn't sufficient.
In February, there was a nasty UDP issue found in the Linux kernels prior to 4.8.x, I think. So, if you have a router running anything prior to that, remote access is possible with just a slight amount of skill. The issue was introduced in 2.6.x kernels, so it has been around a long, long, time.

Basically, you are stuck building your own router with an OS that is constantly patched and being worked on. Probably running a minimal Linux or FreeBSD variant.

Patch your router, tonight. If the vendor doesn't have any patches, get an old PC or buy a $150 miniPC and install a minimal debian/ubuntu server, then follow some online instructions to turn it into a router. Your old wifi-router can be the wireless-AP for your network, just don't use it on the edge.

Please.

Ross SniderJune 28, 2017 12:20 PM

@ Dan H

The United States does not have a great human rights record. Not sure if you've looked recently.

But point taken. In great power conflict and geopolitics, these sorts of capabilities are not yet constrained by international law, and therefore are free game for intelligence competition.

This recommends an immediate solution: a series of treaties and international obligations requiring the United States and others to limit these kinds of capabilities, limit their use, fund secure systems technologies for consumers and infrastructure, create definitions and systems to constrain cyberweapons, their use and cyber intelligence operations.

We should develop clauses to prevent foreign intelligence capabilities from being used on domestic populations which could both help outlaw America's mass domestic surveillance programs and obligate other nations to limit their abilities to monitor their own populations.

This way the CIA doesn't get to use these technologies, but neither does the FSB, etc.

Cynthia Dame Logan on the lamJune 28, 2017 1:01 PM

Very first comment and subsequent amplifying comments, with the same slogan for dopes to repeat: everybody does it. Why the hair-trigger sensitivity on this issue?

Because this is how CIA targets protected persons for murder, disappearance and torture.

https://ronaldthomaswest.com/2014/11/22/reorganizing-murder-inc/
https://ronaldthomaswest.com/2014/12/20/alfreda-bikowsky-the-definition-of-stupid/

The vise on CIA's nuts just got another quarter-turn with the the Chagos case referred to the ICJ. Because Chagos is a key site in the US torture gulag, along with Navy ships at sea, based at Diego Garcia and staffed by CIA torturers in military billets. CIA torture never stopped. CIA pukes in soldier suits just got busted supervising torture of Yemenis.


https://www.apnews.com/4925f7f0fa654853bd6f2f57174179fe/US-interrogates-detainees-in-Yemen-prisons-rife-with-torture

These are not just torture camps, they're death camps, with extrajudicial killing on Condor scales. This is an ongoing CIA crime against humanity - legally, what Nazis do. The world has teed up the command structure for Nuremberg 2.


Who runs it all?

http://www.zeit.de/politik/ausland/2017-06/cia-donald-trump-torture-abu-zubaydah-said/komplettansicht

mehJune 28, 2017 1:58 PM

A possible solution to the continual attack on IOT, SoHo devices and network capable appliances in general, may lie in removal of the attack surface. We all know the easiest method is cracking the admin software, like the webgui (http), telnet, ssh, ftp, snmp and so forth.

These things sit on these devices for years, rarely used, cept maybe during initial config. They are rarely part of the device's update cycle. Vendors send out patches to make the product better but overlook the admin tools and the software stacks its made from. But web guis are a necessity these days, the average user just wants an easy way to config and forget.

And with offboarding (toggle/switch based air gap) the admin tools and other rarely used features, would provide 100% protection, regardless of consumer IT skill, vendor lifespan and default pwds. Products retain their ease of use when needed and secure when not, no longer easy pickings for quick botnet takeovers. Who cares if my IOT runs 2002's bug ridden firmware, the stuff rapid bots exploit is not even connected to the mainboard, cept during that 5/10/15 min period i need to cfg my device.

I just want hit the toggle switch with a built-in 10 min timer, so i can configure my net-enabled printer/fridge, etc via the webgui, when done the switch breaks (fail to safe spring) the connection and now my IOT is secure. Well least from the low hanging fruit, i know theres tons more vectors to attack from. I offboarded my wifi router, all vendors admin tools are on external storage, which i put into a drawer 10ft away, with no issues. When i need to cfg it, i just reconnect the storage device and web in, cfg and yank the storage device, simple, fast and secure. Would be easy to relocate all my IOT vendor admin tools from the devices to my USB stick and have one item to configure them all. And for vendors to implement this would be trivial.

CarpetCatJune 28, 2017 6:42 PM

If only USA Americans have brick house, and:
Rest of world lives in wood house, then:
Why does CIA have brickblasting tools?

Once again, I repeat, repeat, Hacking all those Internet of Things Refridgerators in the middle eastern sand?

Dirk PraetJune 29, 2017 3:30 AM

@ Pete

Basically, you are stuck building your own router with an OS that is constantly patched and being worked on. Probably running a minimal Linux or FreeBSD variant.

Indeed. It's not the first time we see an entire list of hopelessly compromised home routers. Even a really old dual NIC PC or laptop can easily be turned into a (FreeBSD based) pfSense router/firewall. Recommended for home users and SMB's. Power users may prefer a home-brew OpenBSD router, for which there are excellent guidelines available if you do a short search for them.

@ B

All nation states engage in this type of behavior so I am not sure what the point of the disclosure is - should we be shocked that the US is pretty good at this stuff?

The point is that we are living in an age of mass surveillance targeting world and dog, not just parties of "legitimate" interest. While there is nothing shocking about this disclosure, these leaks are a most welcome heads-up for defenders everywhere, especially to those for whom the NSA and the CIA are nothing but criminal foreign spying agencies.

TSJune 29, 2017 8:52 AM

-> Are you saying the US belongs in the 'evil' countries list?

It certainly hasn't belonged on Santa's "Nice" list anymore in a long while.

OutlawCountryJune 29, 2017 11:52 PM

OutlawCountry: project of the CIA targets computers running the Linux operating system

"Today, June 29th 2017, WikiLeaks publishes documents from the OutlawCountry project of the CIA that targets computers running the Linux operating system. OutlawCountry allows for the redirection of all outbound network traffic on the target computer to CIA controlled machines for ex- and infiltration purposes. The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator.

The installation and persistence method of the malware is not described in detail in the document; an operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system. OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain."

https://www.wikileaks.org/vault7/#OutlawCountry

-- Leaked Documents :

= OutlawCountry v1.0 User Manual
https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_User_Manual/
(PDF) https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_User_Manual/OutlawCountry_v1_0_User_Manual.pdf

= OutlawCountry v1.0 Test Plan
https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_Test_Plan/
(PDF) https://www.wikileaks.org/vault7/document/OutlawCountry_v1_0_Test_Plan/OutlawCountry_v1_0_Test_Plan.pdf

Who?June 30, 2017 2:42 AM

@ OutlawCountry

"The malware consists of a kernel module that creates a hidden netfilter table on a Linux target; with knowledge of the table name, an operator can create rules that take precedence over existing netfilter/iptables rules and are concealed from an user or even system administrator."

A clever trick!

There are good reasons for choosing OpenBSD for sensitive tasks when a general purpose operating system is required. Getting [unauthorized] access to an OpenBSD system is challenging at best (a prerequisite to inject a malware like this one), the operating system dropped support for loadable kernel modules ten years ago and a modification to the kernel itself would be very easy to detect (on -current it is even easier, as this change will stop KARL).

It is good to see that leaks in recent years have not shown anything we would not expect from the IC. There had been no information about "surprising technologies" leaked [yet].

rJune 30, 2017 5:00 AM

With friends like that who needs enemies?

Comforting, maybe but it doesn't disqualify the other two aspects of these potentially being a) low end and b) short sighted.

There is a significant pool of exploits and resources, while the current has been flowing for a long time the questions of how far and how wide cannot be muted with the type of information that's being released...

Don't get comfortable, how do we separate the paranoid from the hacked?

Dirk PraetJune 30, 2017 5:22 AM

@ Who?, @ OutlawCountry

A clever trick!

A clever trick indeed, but one that can be defeated by implementing adequate auditing and file system monitoring. Tools that come to mind are Tripwire, AIDE and, once a signature of the offending module is available, chkrootkit and rkhunter. Which are part of a standard install on all of my *nix systems.

Clive RobinsonJune 30, 2017 7:55 AM

@ Dirk Praet, OutlawCountry, Who?,

A clever trick indeed, but one that can be defeated by implementing adequate auditing and file system monitoring.

It was part of the reason behind the "Garden Path" idea.

The problem though is detecting that your outer router/device has not been owned without having to put up with a lot of crap on the outer interface. Especially when it's difficult to instrument the upstream side of the outer routerr/device.

The "upstream problem" is one the likes of the NSA just love, for the very reason you can nomore see what they have been upto upstream of the first device not under your control, than they can see your instrumentation systems downstream of your traffic diode (be it cut TX wires, opto issolation etc etc).

ab praeceptisJune 30, 2017 12:59 PM

Who?, Dirk Praet, Clive Robinson et al.

Could we please stop the "Just use OpenBSD!" wisdom/advice?!

For one the cia attacked linux in this and many other attacks is not your workstation but some plastic box "router" thingy.

More generally though, I'm glad to see Dirk Praet mentioning that, safety/security is not some kind of status that can be somehow obtained by buying or installing xyz.

The danger of advice like "just use OpenBSD", "just buy xyz Anti-Virus", "just get a xyz notebook" usually boils down to actually *weakening* security in that it gives a gravely wrong impression of what security is to Joe and Jane.

Reasonable security always starts with questions.

Questions like "*What* do I want to be secure?", "*what value* does that security have to me?", "*against whom* and what kind of player do I want to defend?", etc.

Plus, very importantly, "what's *my* level of both interest and understanding the dangers, possible solutions, the trustworthiness of 'good guys' and of their solutions?"

"Just use OpenBSD!" quite often is as much a ticket to desaster as is "My windows is set up for auto-updates and I have bought the test winning AV". Not because OpenBSD is bad but because of inertia, ignorance, lack of knowledge and because while OpenBSD is *not* a science fiction battlestation with AI but an OS. Just like with guns, the result depends on the tool as well as on the person using it.

As an OS, thanks to Dirk Praet for mentioning that, OpenBSD is but a start, a basis. Depending on your answers to the above questions. you might want to add file system monitoring (and examination of its output!), machine and OS monitoring (and examination of its output!), or, for higher grade profiles, you might even need to have a 365-24/7 team around and develop a partially automated evaluation and examination system.

Clive RobinsonJune 30, 2017 3:47 PM

@ ab praeceptis,

Could we please stop the "Just use OpenBSD!" wisdom/advice?!

I generaly try to avoid making OS recomendations, because I tend to view all the common/comercial OS's as a liability security wise. And generally espouse the segregation methods of security (whilst holding a pair of sprung wire cutters in my hand using them like one of these "improve your grip" excercise devices ;-)

There are however times when I will recomend the use of pre 2005 hardware with only a hardware locked ROM, copious RAM and a CD/DVD based OS for internet browsing as any nasties get whumped when a hard/power reset is performed. But I usually don't say which OS (as the commercial ones generaly don't run from CD/DVD without a great deal of effort, many assume I mean FOSS).

However I might recommend as I did today the use of Linux for keeping legacy hardware running when commercial OSs change their I/O models etc.

The thing is if one is overly perscriptive in advice you give, it generaly ages faster than a banana in a fruit bowl. Worse people tend not to grasp the principles which is what security is often about.

Hence I will talk about energy- gapping and how to build shielding and test it, but I won't talk about products. Thus talk about instrumentation not tripwire, wireshark, metasploit, et al.

KellyJune 30, 2017 6:55 PM

The US Gov't has become what it once hunted and still hunts.
I've no doubt of the evil of the US Gov't and it's "Civilian" agencies

rJune 30, 2017 9:24 PM

@Dirk Praet,

To paraphrase those cute little capital one Vikings harping at my brain...

What's in your standard install?

NIST? Nits?

Who's in your bitcoinage?

How many layers can we protect? How many layers can we defend our obscure?

Many favorite way to eat macaroni/spaghetti/brains is with a nice hard fork, you?

rJune 30, 2017 9:32 PM

@Clive,

Are/is there a list of pre2005 pin-nerf capable proms?

Maybe electrical short r/o bugs(think dead ones)?

Dirk PraetJuly 1, 2017 9:53 AM

@ r

What's in your standard install?

That would be a rather lengthy post. Suffice it to stay that I try to implement a multi-layered defense using industry standard best practices complemented with some additional techniques and methodologies I have picked up over here and from other places. Diversification, stripping, hardening, strict segregation, monitoring, auditing and real-time alerting are just a couple of elements worth mentioning. As is turning off anything you don't need at any given time.

@ Clive, @ OutlawCountry, @ Who?

The problem though is detecting that your outer router/device has not been owned without having to put up with a lot of crap on the outer interface.

One has to assume that the cable modem or other ISP-provided device for your connection by definition is p0wned by the time it is installed and turned on. You therefor put one or more routers of your own behind it, preferably complemented by a dedicated machine for networking monitoring and NIDS (e.g. Security Onion, a Linux distro that does just that). Any different setup is an exercise in futility even trying to defend.

Clive RobinsonJuly 1, 2017 11:56 AM

@ Dirk Praet,

You therefor put one or more routers of your own behind it, preferably complemented by a dedicated machine for networking monitoring and NIDS

That's what the garden path system essentialy does. The trick though is to stop packet divertion upstream or content being read.

Whilst encryption of certain forms can protect the content from being read, packet diversion detection is a different level of protection.

You can do it with a modified version of onion routing that sets up a forward and reverse circuit through the nodes. If a node gets a packet from anywhere other than the circuit nodes it flashes back a warning and you fail hard.

Whilst it can not directly detect the physical layer for redirection timing marks in the packet can give an indication something is amiss.

It's something I'm working on theory wise and have run one or two practicle tests. Not sure if it will make much of a security improvment in terms of confidentiality but it should give warning of the likrs of a foriegn nation playing with the likes of border routing.

Dirk PraetJuly 2, 2017 3:53 PM

@ Clive

Whilst encryption of certain forms can protect the content from being read, packet diversion detection is a different level of protection.

Since there isn't much an end-user can do to prevent diversion and capture, it's probably best to focus on traffic encryption, even within your LAN. Doing IPSEC in a Windows-only environment is pretty straightforward, but a bit of a challenge in a hybrid environment. But it would be kinda cool to be able to detect diversion and subsequently fail hard, like you say.

Clive RobinsonJuly 3, 2017 2:56 AM

@ Dirk Praet,

But it would be kinda cool to be able to detect diversion and subsequently fail hard, like you say.

Look at it this way, the US has power over the Internet because much of it gets routed in that direction even if destined for somewhere else. Backstopping this power play is the Five Eyes that sit astride communications choke points, thus see much of the traffic that does not go all the way to the US.

This gives the Five Eyes a significant advantage over other countries. Thus the two basic things other countries can do are,

1, Play with routing protocols to divert traffic (not currently illegal).

2, Get inside the routers etc in other countries (illegal with threats of kinetic action).

Thus diverting traffic through a physical route you have control over is the safer option, and appears to have been tried from time to time...

Which brings us back to crypto if it's sufficient and properly implemented then this would not be an issue. But as we know things are very rarely properly implemented, and Quantum Computing is hanging over the feast like the sword above Damocles.

The steps users need to take to properly secure crypto, are not going to be popular with all but a few users, and not practical/possible for the majority.

Thus as with ship builders of old, it is best not to try to make a ship that will survive every storm, but build systems whereby a ship can navigate away from stormy waters.

Thus there will at some point be a demand for ways to warn you if your packets get blown of course...

yJuly 4, 2017 7:57 PM

@B "Or is it that foreign intelligence is itself immoral, and we should shut down the CIA and encourage all other nations to shutter their foreign intelligence agencies so we can bask in new world order of safety?"

I'd say that your comments highlight how it can muddy the philosophical waters for the 90++% of people that aren't knowledgeable of the ethical intricacies involving the various details you highlighted. I.e. amongst the various almost formulaic responses to the Snowden disclosure is to highlight similar things with slightly different details but a different ethical balance, to the point that the vast majority of the populace ends up tuning out of the ethical debate.

However, I'll be happy to dive as deep into the details of the ethical debate as you have here. I.e. indeed, it was always a core problem of global society (from a US centric perspective) that there were these things called "liberties" defined by a "bill of rights", and how they seemed to only apply to consideration for co-citizens. For the world to become a much better place, there needs to be a much greater philosophical and academic emphasis on 'human rights' that transcend national borders.

Take for instance the longstanding ethical 'loopholes' of so called 'fourth party collection'. I.e. the U.S. gov can't legally or 'ethically' spy on its own citizens, but if at the end of the day it picks an ally and effectively allows that ally to spy on it's citizens so that it can spy on the spying and thus navigate the ethical/legal 'loophole'. Well, as long as that kind of de-facto quid-pro-quo is going on without breaking out the guillotines, the rest is surely ethical theatre.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.