While WikiLeaks isn’t everyone’s cup of tea, if you’re in the IT field and haven’t investigated the Vault 7 release, this article will be of interest to you.
In 2017, WikiLeaks published a series of documents describing hacking tools allegedly in use by the CIA. The release published June 15th is a 175-page manual detailing how to hack home Wi-Fi routers. Not just physically, but through remote firmware upgrades.
These tools are referred to as “Project CherryBlossom” and are allegedly used to monitor, intercept, and control a user’s internet activity. These tools work by injecting malware into the router’s firmware. This man-in-the-middle attack is virtually undetectable because anti-virus software can only detect compromised software.
Undetected malware in routers isn’t new. Researchers just discovered malware that has been hidden inside some MikroTik routers since 2012.
Image credit: MikroTik
What exactly is “Cherry Blossom?”
As reported by The Hacker News, “Cherry Blossom is basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace firmware with custom Cherry Blossom firmware.”
According to one of the leaked documents alleged to be a CIA manual, once a router is compromised, “an implanted device [Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest.”
What happens when a router is compromised?
When a router is compromised, the Cherry Blossom exploit is programmed to:
- Monitor traffic to obtain email addresses, chat user names, MAC addresses, and VoIP phone numbers.
- Redirect users to websites with malicious software.
- Hijack the data streams between connected devices to spread malware across the network.
- Create VPN tunnels to access clients connected to the compromised network.
- Copy and store the entire traffic on a network served by a compromised device.
It’s also said this hack can subsequently infect any device that connects to the internet via a compromised router. Then, the exploit is able to control the cameras and microphones on these devices to ‘eavesdrop.’
Security expert John McAfee addresses this issue at 2 minutes 20 seconds in this interview with MoxNews.
“I don’t connect to any Wi-Fi system,” McAfee says, “I use the LTE on my phone. I know that sounds crazy but that’s the only way that I can be secure, because every router in America has been compromised. We have all known this and we’ve been warning about it for years.”
Internet privacy has been compromised for a while
Routers do collect data regarding the websites you visit, and we know that data is sent to advertisers. With this WikiLeaks release, however, the concern over privacy has grown beyond intrusive ads.
You can’t protect your privacy by hiding your network and creating a complex password; your router will still cache your web traffic for third-party sources. The only way to protect your privacy is by using a VPN. Some routers, like the Archer by TP-Link, provide built-in VPN security. However, not many do, and if you haven’t considered getting a VPN, now would be the time.
Network security is more important than ever
Network security is more important than most people care to consider. It’s not enough to change the default username and password. If you’re in the IT field, you know that routers are like miniature computers and are fully capable of storing data. You’ve probably secured your router. However, you may not have considered the importance of disallowing automatic, remote firmware upgrades. With this WikiLeaks release, it’s imperative.
The database of potentially compromised network devices
This WikiLeaks release includes an excel spreadsheet named “WiFi Devices.xls” that contains a plethora of detailed information on many wireless routers. When a hacker wants to inject malware into the firmware of a router, they need to know all possible details about that router. Specifically, the manufacturer, model, version, reference design, FCC ID, wireless chipset, operating system, and more.
Although the list of routers has been published, it’s still not clear if any of them have actually been compromised. To learn more, Qz.com published a partial list along with detailed information regarding “Flytrap” – the firmware flashing instructions that deliver the actual exploits. This WikiLeaks page provides the full list of routers.
How much privacy do we really have?
Companies like Google and Facebook have been collecting data on their users for years. That data is sold to advertisers who want to reach their target market. Most people find this a violation of their privacy, but it’s more of an annoying inconvenience than a rights violation. However, knowing that the CIA might be intercepting and collecting information is cause for concern over how much privacy we actually have while surfing the internet.