SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.
The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.
[...] All the communications between the FlyTrap and the CIA-controlled CherryTree, with the exception of copied network data, is encrypted and cryptographically authenticated. For extra stealth, the encrypted data masquerades as a browser cookie in an HTTP GET request for an image file. The CherryTree server then responds to the request with a corresponding binary image file.
CherryBlossom is the latest release in WikiLeaks Vault7 series, which the site purports was made possible when the "CIA lost control of the majority of its hacking arsenal." CIA officials have declined to confirm or deny the authenticity of the documents, but based on the number of pages and unique details exposed in the series, there is broad consensus among researchers that the documents are actual CIA materials.
-- submitted from IRC
(Score: 2) by kaszz on Friday June 16 2017, @10:56AM (14 children)
Anyone found the "Wifi Devices.xls" list of supported devices?
Anyway, it seems the installation relies on upgrade over the wireless interface. So blocking that and locking down access keys goes some way to block this. The implant also seems to send a beacon signal which could be detected. The flash image will also be modified, a obvious give away.
(Score: 4, Informative) by butthurt on Friday June 16 2017, @11:11AM (10 children)
https://wikileaks.org/vault7/document/WiFi_Devices/ [wikileaks.org]
https://wikileaks.org/vault7/document/WiFi_Devices/WiFi_Devices.pdf [wikileaks.org]
(Score: 1, Informative) by Anonymous Coward on Friday June 16 2017, @12:47PM (9 children)
interesting, no Netgear in there
(Score: 3, Informative) by ledow on Friday June 16 2017, @01:09PM (2 children)
Or Draytek
(Score: 2, Informative) by pTamok on Friday June 16 2017, @01:16PM (1 child)
Or indeed, no Buffalo, or TP-Link, or TRENDnet
Interesting to compare with the list of supported devices for LEDE/OpenWrt here: https://lede-project.org/toh/start [lede-project.org]
I wonder what the common thread is (or was) that makes the vulnerable routers vulnerable.
(Score: 0) by Anonymous Coward on Friday June 16 2017, @07:55PM
"used by foe" is probably the determining factor. If yes, allocate budget.
Something only sold in the USA will instead be hacked by every other country in the world. (except China, since they already have a back door)
(Score: 1) by Revek on Friday June 16 2017, @01:18PM (5 children)
Most netgear routers I've hooked up a serial cable to are running versions of openwrt. Of course the FCC doesn't want you to run open source firmwares on you're equipment for some reason.
This page was generated by a Swarm of Roaming Elephants
(Score: 3, Interesting) by hendrikboom on Friday June 16 2017, @02:05PM (1 child)
The FCC as modified their stance. They just don't want you to mess with the RF stuff. They have recognised that free user software can enhance securiity rather than cause unacceptable radio interference.
(Score: 4, Informative) by frojack on Friday June 16 2017, @06:28PM
Exactly, and the bands differ in different parts of the world.
Rather than making the physical device locked to specific bands, via a 6 cent rom chip, they let the vendors build software controlled radios, and act all alarmed that end-users understand software.
The interesting way around this that was quietly foisted upon just about everybody (apparently) by governments is CRDA standard [die.net] where the wifi chipset can be told its country code by the kernel depending on where [kernel.org] the wifi chipset is used.
That was such a good idea (cough) that they decided to go one better and dynamically fetch this information over any available network connection and reprogram wifi chips on the fly. So people are seeing constant calls to crda in their logs, where the software stack is trying to force regulatory domains (country codes) updates from information fetched over the network, sometimes with debilitating results, such as when the wifi was manufactured with defaults for one area, but is being used in a laptop in another area, and every connect/disconnect gets in a turf war with itself.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by pendorbound on Friday June 16 2017, @02:34PM (2 children)
FCC doesn't care if you run mod'd firmware, as long as it doesn't exceed the radio transmit power or stray from approved frequencies. Since most WiFi chipsets are to some degree a software defined radio (at least within limited WiFi-related frequencies), it's possible on many of them to load firmware that will transmit with more power or on frequencies that aren't approved for unlicensed WiFi use in the US.
Some of the vendors got lazy and just locked the entire firmware chain. All they *had* to do was lock the radios, maybe by shipping hardware that had its region/power settings burned into the radio chip rather than loaded from the host OS at runtime, but that would have taken effort. Locking the entire system down was easier/cheaper, so that's what many vendors did.
(Score: 2) by kaszz on Friday June 16 2017, @03:37PM
The upside to that is that a bigger lock is a larger attack surface..
(Score: 0) by Anonymous Coward on Saturday June 17 2017, @03:09AM
So the practical effect (i.e. what actually matters here, not their intentions) of the FCC's rules was encouraging more proprietary junk? Good to know. At least there are still some options.
(Score: 2) by frojack on Friday June 16 2017, @06:33PM (1 child)
More importantly, has anyone found/built a tool to detect these compromised routers in the wild?
I would think that would be the first order of business.
(I have had so many routers just go wonky on me over the years, (even when I keep up with firmware
updates) that I just about plan router replacements every 5 years.)
No, you are mistaken. I've always had this sig.
(Score: 2) by kaszz on Friday June 16 2017, @10:43PM
Checkout /dev/mtdblock* ?
(Score: 2) by curunir_wolf on Friday June 16 2017, @07:40PM
Seems to me from the description, if they're loading different firmware on the device, you just need to connect to the web interface and it should be obvious. At least, if you know what it looked like out of the box.
I am a crackpot