Vault7: CIA planting “listening” firmware in WiFi routers

Newly surfaced documents in the WikiLeaks Vault7 series reveal that at least 25 WiFi router and access point models are susceptible to implants that enable the CIA to turn them into surveillance posts.

The implant, code-named CherryBlossom (carrying an exploit going by the name of Tomato), can easily make its way onto routers from Linksys, DLink, Belkin and others as a legitimate firmware update, wirelessly. Models not inherently vulnerable can still be implanted with the surveillance software if poorly secured – i.e. with an easy-to-guess password. So, how does the hack work?

Compromising the router is as simple as upgrading its firmware, including wirelessly, which means physical access to the device isn’t strictly necessary for infection. Once the CherryBlossom firmware is flashed on the new device, the wireless device becomes a “FlyTrap.”

The infected WiFi router, now essentially a beacon, sends information to a command & control server also known as the “CherryTree.” At this point, the exfiltrated data only includes device status and security information. With this information in hand, C&C sends back “missions” with operator-defined tasking. Per the WikiLeaks report:

“Therefore these devices are the ideal spot for ‘Man-In-The-Middle’ attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.”

The kind of missions the CIA may send to infected routers include:

  • tasking on Targets to monitor
  • actions/exploits to perform on a target
  • instructions on when and how to send the next beacon

Tasks for a Flytrap include (but are not limited to):

  • scan for email addresses
  • chat usernames
  • MAC addresses and VoIP numbers in passing network traffic to trigger additional actions
  • copying of the full network traffic of a Target
  • redirection of a target’s browser (e.g., to Windex for browser exploitation)
  • proxying of a target’s network connections.

VPN tunnels to a CherryBlossom-owned VPN server can also be set up via FlyTrap. This enables further exploitation because it gives an operator access to clients on the Flytrap’s WLAN/LAN.

“When the Flytrap detects a Target, it will send an Alert to the CherryTree and commence any actions/exploits against the Target. The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).”

Vault7 continues to churn out information about the CIA’s covert wiretapping tools, but most of this information describes the technologies employed by the agency – not so much how they’re being used. Vault7 has not yet produced evidence of abuse – but only that the agency has been allegedly sitting on a cache of cybertools.

In related news, recent experiments show that malware-infected wireless routers can leak sensitive data through the blinking of status LEDs. Data can be covertly leaked via the status lights at bit rates of 10 bit/sec to more than 1Kbit/sec per LED.

Leave a Reply