Router security issues highlighted by CIA's CherryBlossom project
The latest WikiLeaks release on CIA hacking tools includes the CherryBlossom project, which highlights router security issues, including a lack of firmware signing validation.
Leaked information on the CIA's CherryBlossom project details how the agency may have abused router security issues with custom firmware.
WikiLeaks released information regarding CherryBlossom, which was allegedly developed by the CIA in conjunction with the Stanford Research Institute. WikiLeaks claimed the project "focused on compromising wireless networking devices, such as wireless routers and access points" in order to exploit and monitor the internet activity of targets.
"These devices are the ideal spot for man-in-the-middle [MitM] attacks, as they can easily monitor, control and manipulate the internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user," WikiLeaks wrote in a blog post. "The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection."
Firmware router security issues
Experts noted that the major issue exploited by the CherryBlossom project is that many routers do not validate the digital signature of a firmware update.
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said the bigger story than the CIA's involvement is "how requiring digitally signed firmware will prevent this specific attack."
Jake Williamsfounder, Rendition InfoSec LLC
"It's easy. If the router isn't validating digital signatures on the firmware, it's trivial to load custom malicious firmware," Williams told SearchSecurity. "Most routers don't validate signatures. You need enterprise-grade before most of them do it."
However, Bobby Kuzma, security researcher for Core Security, noted that there may be router security issues with enterprise-grade devices not enforcing firmware signing.
"On the enterprise side, the big router manufacturers have offered validation of signed firmware for quite some time. The problem is that it's not enabled by default for the most part, and it requires that a network admin actually go and do something," Kuzma told SearchSecurity. "Both the Cisco and Juniper tools rely on MD5 hashes. MD5 is broken as a hashing algorithm, with several known and feasible techniques for generating identical hashes from wildly different binary content."
John Bambenek, threat systems manager at Fidelis Cybersecurity, said if a malicious actor could control the router, they can control everything.
"I could easily redirect DNS requests to a server I control which would mean I know every domain you look up. I could reroute all of your traffic through a device I control, which means I could set up a wiretap," Bambenek told SearchSecurity. "I could have URLs and passwords sent to a central server. In essence, it turns your home router into an intelligence listening post."
Router security issues beyond firmware signing
Williams noted that loading custom firmware wouldn't even be necessary to perform similar attacks as with the CherryBlossom project.
"To ever install firmware they need admin level access to the router. If they have that, they can modify the upstream info like DNS (and iptables in many models) and capture traffic on many models with no firmware at all. If I control your DNS, I MitM anything," Williams said via Twitter. "So an important thing to note is that with admin level access (which the CIA needs for this) attackers without CIA level budget can achieve most of the same goals."
Kuzma said that custom firmware allows for additional stealth and "all kinds of fun features that aren't standard."
"Via an implant you could silently redirect traffic, capture traffic as it transits the router, or even use the router itself as a pivot point to relay command traffic to implants elsewhere within a network, and to do so without raising suspicion in the form of logs of remote access," Kuzma said.
Ken Spinner, vice president of field engineering at Varonis Systems, said router security issues should often fall on the manufacturers who have a "ship-it-out-and-update-later mentality," even though many -- especially consumers -- never update router firmware.
"Attacks like these underscore that the perimeter will always have leaks -- and like many of our aging technologies, routers weren't built with security in mind. We've got to be more proactive in planning for attackers breaching the first line of defenses: and therefore have security controls in place to monitor and detect intruders," Spinner told SearchSecurity. "If hackers use something like CherryBlossom to scan for information like passwords, you're going to need security defenses on the inside to make sure that user accounts and access to sensitive information is monitored -- so that you know when a user starts behaving suspiciously or an account is compromised."