The release is the latest instalment of Wikileaks' "Vault7" series, which the group has been drip-feeding to the public since March. Previous trickles have revealed CIA attempts to hack office computers, televisions and phones, among many other shock exposures.
This time, the documents contain detailed information on the CIA's router hacking "toolkit" — and how the Agency sought to leverage common vulnerabilities in routers sold by companies such as D-Link and Linksys. The techniques range from hacking network passwords to rewriting device firmware to remotely monitor traffic flowing across a target's network.
RELEASE: CIA 'CherryBlossom' & 'CherryBomb' have been infecting #DLink, #Belkin & #Linksys WiFi routers for years https://t.co/uCQLaaRwrO pic.twitter.com/gEfD84RKlX
— WikiLeaks (@wikileaks) June 15, 2017
While few may have stopped to consider a router's attractiveness to a hacker, in truth the devices are an obviously attractive entry point — routers typically aren't equipped with interfaces beyond on/off and reset buttons, and have no means of alerting users they have been compromised.
A router could be hacked for years, with a user's every online action tracked and recorded, without anyone being any the wiser.
The CIA's router-hacking approach begins with a tool — "Claymore" — which scans a network to identify devices and then launches two exploiters — "Tomato" and "Surfside" — the former is noted to target vulnerabilities in at least two routers sold by D-Link and Linksys, and steals those devices' administrative passwords. Moreover, the documents state at least two other routers sold by Linksys could be targeted with "Tomato" after a mere few weeks of development.
"Surfside" is left largely unexplained, though the documents hint it may abuse a protocol called Universal Plug and Play. Oft dubbed UPNP, and embedded in around 7,000 different devices — including routers, printers, media players and smart TVs — tech security experts have long-warned it poses a potential risk.
Tomato exploits UPnP to get admin credentials for some Broadcom based devices in #vault7 leak, this is used then to install FlyTrap firmware
— Hacker Fantastic (@hackerfantastic) June 15, 2017
As the documents date back to early 2016, it's unclear whether D-Link or Linksys have identified and/or rectified these vulnerabilities — however, routers are difficult to manually update, and given their ubiquity, providers are reluctant to dispatch professional staff to do so, instead obliging consumers to do so themselves. Any vulnerability in a router can be left to smolder for years before correction, if at all — and the aforementioned lack of a "warning" system alerting users to threats, ala antivirus software, means users may never discover if their device is vulnerable.
Another means of access mentioned in the papers is the failure of users to change default admin passwords — often, individuals are simply unaware there is an admin password, and it can be amended. This likewise offers unbridled access to the contents of an individual's router — after access, a hacker or CIA agent could then install custom firmware (the CIA's is called Flytrap) on the router monitor a target's browsing, strip SSL encryption from webpages visited, and even inject other exploits into their traffic, designed to offer access directly to the target's PC or phone. Yet another piece of software, CherryTree, serves as a command-and-control system, allowing operators to monitor and update infected network devices from a browser-based interface called CherryWeb.
Nonetheless, while acknowledging the exposures are "alarming," Matthew Hickey, Founder of Hacker House, isn't shocked the CIA would target routers.
"The information security community has been warning about this risk since 2005, if not before. Still, while technically adept users likely won't be impacted by the technique, it does potentially mean the CIA can access millions of web histories — and there's the prospect of it easily being misused and abused in surveillance operations. The only Godsend is the CIA wouldn't be able to do this remotely or in bulk — they need to be in the nearby vicinity of a router network to access it, from a car or van or similar," Mr. Hickey told Sputnik.
Ultimately, given the evident insecurities ingrained in average Wi-Fi routers, it's perhaps unsurprising the world's most well-financed spying group has exploited them — and maybe still does. Wikileaks' latest revelations serve as a palpable reminder to net users to update their routers regularly, and change their default admin passwords. Otherwise, potentially no private, internet-equipped home is safe from US surveillance.