How can attacks like the Cherry Blossom project be prevented?

With the WikiLeaks Cherry Blossom project, attackers can potentially inject malicious firmware into wireless routers. Expert Michael Cobb explains how to stop it from happening.

WikiLeaks released information on the CIA's Cherry Blossom project, which it alleges was aimed at compromising wireless routers and access points to monitor and manipulate the internet traffic of targeted users. What security lapses in wireless router implementations allowed this, and how can attacks like Cherry Blossom be prevented?

The WikiLeaks Vault 7 release revealed details of an alleged CIA project to hack wireless routers and access points to monitor, and even control and manipulate, users' internet activity.

Called the Cherry Blossom project, its 175-page user manual details how to abuse weaknesses in the way firmware updates are installed on many routers to inject its own custom firmware. These covert man-in-the-middle attacks may have been occurring since 2007, though it's still not entirely clear which routers have been successfully compromised and to what extent.

Routers direct network traffic to their final destination, passing IP packets between servers, computers, mobile and other networked devices. Given the important role they play, their security is paramount because, if a malicious actor manages to take control of a router, they control all the traffic that passes through it. This effectively turns it into a wiretap and enables them to scan for email addresses, passwords and any data of interest.

Malicious content can also be silently injected into the data stream between a user and the internet to exploit vulnerabilities in the user's applications or operating system.

The Cherry Blossom project can install malicious firmware, even without physical access, as some devices allow their firmware to be upgraded over a wireless link. The real weakness that is exploited, though, is the failure of many routers to validate the digital signature of a firmware update. Even on some enterprise-grade routers that can validate signed firmware, the functionality is not enabled by default. Also, those that rely on MD5 hashes for digital signatures are open to attacks, as MD5 hashes are no longer considered secure.

To mitigate these types of attacks, network administrators should ensure that all routers and access points require administrator rights to update firmware. The default administrator account's credentials should also be changed; in 2016, the Mirai malware targeted internet of things devices using factory default usernames and passwords.

Regular audits should be carried out to ensure any available firmware updates are installed, and the installation should follow a documented process. Routers that don't have the ability to validate the digital signature or checksum of an update before it is installed should be replaced; otherwise, it's trivial for any hacker to load custom malicious firmware. Internal monitoring systems should also flag any unusual or suspicious account activity, as this may indicate that an account or device has been compromised.

Administrators who are concerned that routers may have been a target of a Cherry Blossom project attack should check whether they are mentioned in this list of routers.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

This was last published in November 2017

Dig Deeper on Network security