Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday June 16 2017, @10:08AM   Printer-friendly
from the let-me-contain-my-surprise dept.

Arthur T Knackerbracket has found the following story:

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

[...] All the communications between the FlyTrap and the CIA-controlled CherryTree, with the exception of copied network data, is encrypted and cryptographically authenticated. For extra stealth, the encrypted data masquerades as a browser cookie in an HTTP GET request for an image file. The CherryTree server then responds to the request with a corresponding binary image file.

CherryBlossom is the latest release in WikiLeaks Vault7 series, which the site purports was made possible when the "CIA lost control of the majority of its hacking arsenal." CIA officials have declined to confirm or deny the authenticity of the documents, but based on the number of pages and unique details exposed in the series, there is broad consensus among researchers that the documents are actual CIA materials.

-- submitted from IRC


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by bart on Friday June 16 2017, @10:47AM (7 children)

    by bart (2844) on Friday June 16 2017, @10:47AM (#526383)

    Given the fact that we have (at least) two US multi-billion dollar goverment agencies actively working to eavesdrop anything and everything, without any oversight whatsoever, it should come as no surprise that a continuously growing number of people doesn't place ANY trust in whatever the US government has to tell.

    • (Score: 0) by Anonymous Coward on Friday June 16 2017, @03:52PM (1 child)

      by Anonymous Coward on Friday June 16 2017, @03:52PM (#526479)

      Maybe it's time for a crowd-sourced, distributed run at these f*ckers?

      • (Score: 1) by All Your Lawn Are Belong To Us on Friday June 16 2017, @09:05PM

        by All Your Lawn Are Belong To Us (6553) on Friday June 16 2017, @09:05PM (#526629) Journal

        What, precisely, do you think that would gain you, Coward? The key thing you miss in your evaluation is the assumption that the agencies are actually under the control of the elected government. They are NOT. The 'director' of said agency has, at best, some small say in how executive policies steer the organization. They have nothing to do with how they're actually run or the operations they undertake. The people actually DOING things... have civil service protection.

        If you're suggesting instead that there should be some kind of Anonymous style counter-operations..... you will lose. It is their ball game, their ball, their bat, their team, their spectators, and their umpire. The only winning move you conceivably have is NOT TO PLAY. Unplug. Completely. And socialize outside of any possible listening devices.

        --
        This sig for rent.
    • (Score: 1, Insightful) by Anonymous Coward on Friday June 16 2017, @04:02PM (4 children)

      by Anonymous Coward on Friday June 16 2017, @04:02PM (#526485)
      I find it hard to build a list of the good things the CIA has done for the USA, much less the world.

      In fact it seems most of the things the CIA has done has actually been bad for the USA.

      Even if you can build such a list I doubt there would be any net good. The USA would be better off shutting down the entire CIA and using the money for the welfare of US citizens.
      • (Score: 2) by bob_super on Friday June 16 2017, @05:18PM (3 children)

        by bob_super (1357) on Friday June 16 2017, @05:18PM (#526514)

        Considering how unbelievable it is that, despite being capable to hack everything everywhere, the bogeymen of drugs and terrorism are still at large... I'm gonna have to agree.

        • (Score: 2) by curunir_wolf on Friday June 16 2017, @07:34PM (1 child)

          by curunir_wolf (4772) on Friday June 16 2017, @07:34PM (#526579)
          But those aren't boogeymen to the CIA - they're "tools."
          --
          I am a crackpot
          • (Score: 0) by Anonymous Coward on Saturday June 17 2017, @09:57AM

            by Anonymous Coward on Saturday June 17 2017, @09:57AM (#526887)
            I think the term that the CIA prefers is "assets". They long referred to Osama bin Laden himself as such. And well, they managed to fund the Nicaraguan Contras with drug money, rather literal assets there.
        • (Score: 0) by Anonymous Coward on Saturday June 17 2017, @09:53AM

          by Anonymous Coward on Saturday June 17 2017, @09:53AM (#526885)

          I suddenly remember a joke from Neil Gaiman's American Gods:

          Q: How do you know the CIA had nothing to do with the Kennedy assassination?
          A: He's dead, ain't he?

  • (Score: 2) by kaszz on Friday June 16 2017, @10:56AM (14 children)

    by kaszz (4211) on Friday June 16 2017, @10:56AM (#526384) Journal

    Anyone found the "Wifi Devices.xls" list of supported devices?

    Anyway, it seems the installation relies on upgrade over the wireless interface. So blocking that and locking down access keys goes some way to block this. The implant also seems to send a beacon signal which could be detected. The flash image will also be modified, a obvious give away.

    • (Score: 4, Informative) by butthurt on Friday June 16 2017, @11:11AM (10 children)

      by butthurt (6141) on Friday June 16 2017, @11:11AM (#526386) Journal
      • (Score: 1, Informative) by Anonymous Coward on Friday June 16 2017, @12:47PM (9 children)

        by Anonymous Coward on Friday June 16 2017, @12:47PM (#526406)

        interesting, no Netgear in there

        • (Score: 3, Informative) by ledow on Friday June 16 2017, @01:09PM (2 children)

          by ledow (5567) on Friday June 16 2017, @01:09PM (#526411) Homepage

          Or Draytek

          • (Score: 2, Informative) by pTamok on Friday June 16 2017, @01:16PM (1 child)

            by pTamok (3042) on Friday June 16 2017, @01:16PM (#526414)

            Or indeed, no Buffalo, or TP-Link, or TRENDnet

            Interesting to compare with the list of supported devices for LEDE/OpenWrt here: https://lede-project.org/toh/start [lede-project.org]

            I wonder what the common thread is (or was) that makes the vulnerable routers vulnerable.

            • (Score: 0) by Anonymous Coward on Friday June 16 2017, @07:55PM

              by Anonymous Coward on Friday June 16 2017, @07:55PM (#526588)

              "used by foe" is probably the determining factor. If yes, allocate budget.

              Something only sold in the USA will instead be hacked by every other country in the world. (except China, since they already have a back door)

        • (Score: 1) by Revek on Friday June 16 2017, @01:18PM (5 children)

          by Revek (5022) on Friday June 16 2017, @01:18PM (#526415)

          Most netgear routers I've hooked up a serial cable to are running versions of openwrt. Of course the FCC doesn't want you to run open source firmwares on you're equipment for some reason.

          --
          This page was generated by a Swarm of Roaming Elephants
          • (Score: 3, Interesting) by hendrikboom on Friday June 16 2017, @02:05PM (1 child)

            by hendrikboom (1125) Subscriber Badge on Friday June 16 2017, @02:05PM (#526426) Homepage Journal

            The FCC as modified their stance. They just don't want you to mess with the RF stuff. They have recognised that free user software can enhance securiity rather than cause unacceptable radio interference.

            • (Score: 4, Informative) by frojack on Friday June 16 2017, @06:28PM

              by frojack (1554) on Friday June 16 2017, @06:28PM (#526552) Journal

              Exactly, and the bands differ in different parts of the world.

              Rather than making the physical device locked to specific bands, via a 6 cent rom chip, they let the vendors build software controlled radios, and act all alarmed that end-users understand software.

              The interesting way around this that was quietly foisted upon just about everybody (apparently) by governments is CRDA standard [die.net] where the wifi chipset can be told its country code by the kernel depending on where [kernel.org] the wifi chipset is used.

              That was such a good idea (cough) that they decided to go one better and dynamically fetch this information over any available network connection and reprogram wifi chips on the fly. So people are seeing constant calls to crda in their logs, where the software stack is trying to force regulatory domains (country codes) updates from information fetched over the network, sometimes with debilitating results, such as when the wifi was manufactured with defaults for one area, but is being used in a laptop in another area, and every connect/disconnect gets in a turf war with itself.

              --
              No, you are mistaken. I've always had this sig.
          • (Score: 3, Interesting) by pendorbound on Friday June 16 2017, @02:34PM (2 children)

            by pendorbound (2688) on Friday June 16 2017, @02:34PM (#526438) Homepage

            FCC doesn't care if you run mod'd firmware, as long as it doesn't exceed the radio transmit power or stray from approved frequencies. Since most WiFi chipsets are to some degree a software defined radio (at least within limited WiFi-related frequencies), it's possible on many of them to load firmware that will transmit with more power or on frequencies that aren't approved for unlicensed WiFi use in the US.

            Some of the vendors got lazy and just locked the entire firmware chain. All they *had* to do was lock the radios, maybe by shipping hardware that had its region/power settings burned into the radio chip rather than loaded from the host OS at runtime, but that would have taken effort. Locking the entire system down was easier/cheaper, so that's what many vendors did.

            • (Score: 2) by kaszz on Friday June 16 2017, @03:37PM

              by kaszz (4211) on Friday June 16 2017, @03:37PM (#526472) Journal

              The upside to that is that a bigger lock is a larger attack surface..

            • (Score: 0) by Anonymous Coward on Saturday June 17 2017, @03:09AM

              by Anonymous Coward on Saturday June 17 2017, @03:09AM (#526783)

              So the practical effect (i.e. what actually matters here, not their intentions) of the FCC's rules was encouraging more proprietary junk? Good to know. At least there are still some options.

    • (Score: 2) by frojack on Friday June 16 2017, @06:33PM (1 child)

      by frojack (1554) on Friday June 16 2017, @06:33PM (#526554) Journal

      Anyone found the "Wifi Devices.xls" list of supported devices?

      More importantly, has anyone found/built a tool to detect these compromised routers in the wild?
      I would think that would be the first order of business.

      (I have had so many routers just go wonky on me over the years, (even when I keep up with firmware
      updates) that I just about plan router replacements every 5 years.)

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 2) by curunir_wolf on Friday June 16 2017, @07:40PM

      by curunir_wolf (4772) on Friday June 16 2017, @07:40PM (#526583)

      Seems to me from the description, if they're loading different firmware on the device, you just need to connect to the web interface and it should be obvious. At least, if you know what it looked like out of the box.

      --
      I am a crackpot
  • (Score: 4, Funny) by bradley13 on Friday June 16 2017, @11:21AM (6 children)

    by bradley13 (3053) on Friday June 16 2017, @11:21AM (#526389) Homepage Journal

    Of course, we can be certain that the CIA was careful to get a warrant each and every time it wanted to use this software. We can be equally certain that they uninstalled the software when they were finished.

    --
    Everyone is somebody else's weirdo.
    • (Score: 1) by khallow on Friday June 16 2017, @11:51AM

      by khallow (3766) Subscriber Badge on Friday June 16 2017, @11:51AM (#526397) Journal
      Your assertion via gratuitous sarcasm certainly convinced me of the rightness and legality of this approach!
    • (Score: 3, Funny) by kaszz on Friday June 16 2017, @12:07PM

      by kaszz (4211) on Friday June 16 2017, @12:07PM (#526402) Journal

      Anonymous, hereby grants you a perpetual warrant to be used anytime you so deem necessary to use for deep no sunlight probing of any sunless CIA entry point you may find. For efficiency reasons you are relieved (not in the sun free zone) from any duty to remove any penetrative tool you deemed necessary or the effects of said object. This warrant does not imply any unnatural inclination nor does it limit any such inclination.

          /Ûberpenatrative Uhrifficer!

      No Commodore-2^6 communications chip were ever sacrificed for this cause. May your chips have many productive cycles!

    • (Score: 0) by Anonymous Coward on Friday June 16 2017, @01:49PM

      by Anonymous Coward on Friday June 16 2017, @01:49PM (#526422)

      Of course, we can be certain that the CIA was careful to get a warrant each and every time it wanted to use this software

      You never know. They may have installed a ReadMe file containing a copy of the warrant ;-)

    • (Score: 2) by Snotnose on Friday June 16 2017, @02:33PM

      by Snotnose (1623) on Friday June 16 2017, @02:33PM (#526437)

      If you read the doc you'll see the software can't be uninstalled. They have a kill command that, when received, de-activates flytrap. The kill command persists across reboots.

      --
      Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    • (Score: 2) by KGIII on Friday June 16 2017, @04:22PM

      by KGIII (5261) on Friday June 16 2017, @04:22PM (#526495) Journal

      In theory, these would only be used against non-citizens who are outside of the border - with some exceptions with oversight.

      Don't laugh. I said, "In theory." The CIA is, for the most part, not supposed to do covert activities on US soil.

      --
      "So long and thanks for all the fish."
    • (Score: 0) by Anonymous Coward on Friday June 16 2017, @07:51PM

      by Anonymous Coward on Friday June 16 2017, @07:51PM (#526585)

      They got a warrant every time it was required by our constitution. Seeing as the agency operates outside of US territory, that would be never.

      As far as uninstallation goes, wouldn't you do that if you were trying to hide? The stuff probably self-destructs if you look at it funny.

  • (Score: 2) by stormreaver on Friday June 16 2017, @01:01PM (6 children)

    by stormreaver (5101) on Friday June 16 2017, @01:01PM (#526409)

    Are the routers still vulnerable if OpenWRT is installed?

    • (Score: 2) by digitalaudiorock on Friday June 16 2017, @02:06PM (3 children)

      by digitalaudiorock (688) on Friday June 16 2017, @02:06PM (#526427) Journal

      Are the routers still vulnerable if OpenWRT is installed?

      Unless they're exploiting something other than the OS itself, which seems almost impossible, I can't imagine it would. Perhaps it would possible for them to exploit something like dd-wrt but it's hard to imagine they'd bother given all the other easy pickens out there.

      • (Score: 5, Insightful) by pTamok on Friday June 16 2017, @02:33PM (2 children)

        by pTamok (3042) on Friday June 16 2017, @02:33PM (#526435)

        Unless they're exploiting something other than the OS itself, which seems almost impossible...

        Actually, pretty easy. Most low end devices are built using System On a Chip (SOC) technology, and those in turn are manufactured by the router vendor buying (proprietary, (trade) secret) system component designs that are integrated together by the chip fab, with maybe one or two tweaks. These modular building blocks can have almost anything incorporated into them without the end-customer knowing, so an Ethernet packet processor could easily have a hardware backdoor incorporated into the chip layout. The same is true for Wi-Fi radio modules. No-one audits the design for such things.

        ( See https://en.wikipedia.org/wiki/System_on_a_chip [wikipedia.org] )

        People have noticed the management processors in Intel and AMD cpus, but there is nothing preventing similar techniques being used elsewhere. Once you have a standard module ( https://en.wikipedia.org/wiki/Semiconductor_intellectual_property_core [wikipedia.org] ) with a backdoor incorporated, it takes very little effort for it to be rolled out to all SoC devices manufactured. If anything, it takes more effort to not have it in.

        This is why the open hardware movement is important. Unless you can trust your hardware, you don't know if you can be compromised. This is a hard problem to solve, especially if your adversary is a nation-state from whom you buy electronics.

        • (Score: 0) by Anonymous Coward on Friday June 16 2017, @09:18PM

          by Anonymous Coward on Friday June 16 2017, @09:18PM (#526635)

          "This is a hard problem to solve, especially if your adversary is a nation-state from whom you buy electronics."

          Unless you only use FPGA chips. I dont believe you can easily compromise one of them, since they cant predict what sort of internal logic you will be running, or what pins for i/o..

        • (Score: 2) by digitalaudiorock on Saturday June 17 2017, @02:45PM

          by digitalaudiorock (688) on Saturday June 17 2017, @02:45PM (#526988) Journal

          I stand corrected! Thanks for the explanation.

    • (Score: 2) by KGIII on Friday June 16 2017, @04:28PM

      by KGIII (5261) on Friday June 16 2017, @04:28PM (#526498) Journal

      At the Green Site, someone in the comments linked to the list (which is also linked in this thread) and cited at least one which used OpenWRT firmware. If one was vulnerable, perhaps more would be? I have to head out, but you can search that thread, if you're interested.

      --
      "So long and thanks for all the fish."
    • (Score: 2) by J053 on Saturday June 17 2017, @12:57AM

      by J053 (3532) <dakineNO@SPAMshangri-la.cx> on Saturday June 17 2017, @12:57AM (#526711) Homepage
      One of the firmware builds listed (page 174 of the document) is:
      16.7 Firmware Upgrade Procedures: Linksys WRT54GL v1 fw ddwrt_v24_sp1_std_generic_10011
  • (Score: 3, Insightful) by kaszz on Friday June 16 2017, @03:42PM (2 children)

    by kaszz (4211) on Friday June 16 2017, @03:42PM (#526475) Journal

    This exploit combined with the various home equipment that have microphones, cameras and telemetry enabled by default. However most people that knows about security will not let these devices connect to the internet. But if they can hitch a ride on a nearby compromised WiFi-AP. It's all ready to be abused.

    Even the computer phones send out continuous searches for access points and are generally careless with private data.

    • (Score: 2) by bob_super on Friday June 16 2017, @06:04PM (1 child)

      by bob_super (1357) on Friday June 16 2017, @06:04PM (#526539)

      > various home equipment that have microphones, cameras and telemetry enabled by default. However most people
      > that knows about security will not let these devices connect to the internet.

      As of February, Amazon has sold over 8 million Echo devices, and the competitors are rushing to catch up.
      Not even counting all the surveillance cameras, laptops, and of course Cell phones.

      • (Score: 2) by kaszz on Saturday June 17 2017, @12:26PM

        by kaszz (4211) on Saturday June 17 2017, @12:26PM (#526931) Journal

        The amount of stupidity in the general population is staggering. Not that it's news anymore.

  • (Score: 0, Disagree) by Anonymous Coward on Friday June 16 2017, @09:13PM

    by Anonymous Coward on Friday June 16 2017, @09:13PM (#526633)

    Glad i use old hardware and some sort of software solution ( like pfsense, or do it manually ). Sure, in theory they can still get me if they really really want to, but this raises the bar beyond simplistic 'mass surveillance' and they would have to target me personally.

(1)