By now, we’ve all heard about the huge trove of materials that WikiLeaks is releasing to the world that allegedly documents the hacking efforts of the CIA. Code named Vault 7, these documents outline how the agency performs covert surveillance on everything from iOS and Android smartphones to desktop computers. There’s even information about listening in to people’s conversations by hacking into their Samsung smart TVs.
Of course, if covert surveillance is what you’re after, routers offer an ideal platform from which to observe. They can be used to view and even modify any data that flows through them, offering an ideal place from which to launch a Man-In-The-Middle attack. They also allow an attacker to remain hidden since an infected router is difficult to detect. Of course, most of the information about hacking routers that has been released is about enterprise-grade routers, namely Cisco.
What about Consumer-Grade, Home Routers?
If the target of surveillance is an individual, his or her home router would make a terrific device to hack and the CIA is certainly aware of this. Within Vault 7, we’ve found the following information (Please Note: Currently, WikiLeaks is claiming that the information that’s been released publicly is less than one percent of all of the information that they have).
This information is very interesting even though it’s incomplete. What’s most interesting is that it positively confirms that hacking home routers is on the CIA’s agenda.
Hacking a home router is quite different from hacking into most of the other devices that the CIA seems to be targeting. Most other devices and platforms allow for a fairly straight-forward method of attack:
- Determine the surveillance target’s device to be attacked.
- Grab some malware that’s been tailored to that device. It sounds like there’s a pretty large stash of malware just waiting to used for all sorts of different of devices and purposes. In most cases, the malware will communicate with a Command and Control system somewhere on the Internet to enable the surveillance.
- Load the malware onto the surveillance target’s device. This is usually done by tricking the user in some way to unknowingly load this malware, and there are many methods to do this:
- Find a known vulnerability of the device and exploit it to load the malware.
- Utilize viruses and/or infected web pages to deliver the malware.
- Resort to social engineering methods.
- Wait for the information to come into your Command and Control system.
But this recipe won’t work for home routers.
How to Attack a Home Router
Consumer-grade routers are simply different beasts. Software (or more precisely, firmware) is loaded onto the device in a way that’s different from Microsoft Windows, for example. You can’t simply trick someone into loading up your tainted firmware. This creates quite a challenge to anyone who wants to attack a home router. Here is what an attacker must do:
- Determine the exact model of the router to attack. In many cases, the attacker must also consider the version of firmware being used. Depending on the router model, this step is either incredibly easy or incredibly difficult, bordering on the impossible.
- Obtain a copy of the device’s firmware. This isn’t really so difficult–many firmwares are downloadable from vendor websites. Otherwise, firmware can often be extracted directly from the device. If you know that your surveillance target is running a TP-Link router, simply go to the store and buy the same model. Voila, you have a copy of the firmware.
- Augment this firmware with a software component that you’ve created to do whatever it is you want to do. This often means communicating with a Command and Control system.
- Load this firmware onto the device. This is easier said than done–more on this below.
- Wait for the information to come into your Command and Control system.
If we go back and look at the information in Vault 7, we see that it’s really concerned with Steps 2 and 3 above. There’s some discussion about the tools and techniques that one would use to get a copy of the necessary firmware, but frankly, there are no great revelations here. You can get most of this information from a good course on embedded-systems hacking (or just watch enough YouTube videos on the topic).
What is interesting is the information about implanting a component into the firmware so that the device will perform the surveillance. We see that the implant that attackers use is determined by the platform that the firmware runs on. The two biggest platforms in the router world are Linux and VxWorks (a proprietary operating system). These and several others are identified as having the necessary components to use for this purpose. The implant used for Linux-based devices is code-named “Cannoli”, and there’s some information provided on how to use the tools to weaponize a firmware with it. Unfortunately, no other information about Cannoli has been made available, but we’ve still only seen a small part of the entire Vault 7 data.
Loading Infected Firmware onto a Router
Performing the first three steps for attacking a router are not so difficult and it’s well understood how to do them. Step 4 is the problem. How does one load infected firmware onto a surveillance target’s router? To answer this, first you must ask: How does one load any firmware onto a router?
Most home routers have an administrator console that enables you to upgrade the firmware. It’s usually pretty simple to use: You just download the firmware file from the vendor, and then you tell the administrator console where that file is. It typically takes 2 or 3 minutes to load it up and then your router is running it.
But that’s the normal case. How can this be done covertly? The information released in Vault 7 so far does not suggest how to do it. There’s probably not one magical solution that works for all cases. Because of the technical issues involved, different approaches may be necessary to accomplish this task.
How to Load Your Firmware onto a Router Covertly (….if you’re the CIA)
DISCLAIMER: The information presented here is speculation. Without information that has not yet been released, we can’t know for sure how this is really being done. Instead, it is worthwhile to look at the possible ways that this could be done to better understand the security landscape. By looking at these issues and fostering discussion, we hope to raise the level of security for consumer routers.
The problem of covertly loading firmware onto a router is: How do you get access to the administrator console? Accessing this requires logging into the router as an administrator, and login is protected with a password. So what options does an attacker have?
We’ll look at some ideas
Guess the Administrator Password
As much as we (and everyone else involved with home router security) keep saying that strong administrator passwords for routers are so important, we often find that people don’t heed these words. Many people still don’t change the default password that was set in the factory, which makes breaking in to modify the firmware a trivial task. Once someone has logged into a router, changing the firmware is easy to do.
Many people believe that a good password is not necessary if their router’s interface is not accessible from the internet. This belief is false as there are many other ways (e.g. CSRF attack, compromised device on the network, etc.) to get access to a router’s login screen.
Many devices have a security vulnerability
There are many known vulnerabilities in consumer routers, and certainly many vulnerabilities that are known but not disclosed. Depending on the severity of the vulnerability, it’s possible that administrator access may be obtained so that the firmware may be updates.
Swap the Router with an Identical (Infected) One
An attacker who is desperate can always swap a user’s router with an identical model, onto which the tainted firmware is loaded. However, this is a fairly dangerous thing to do because any customization that the user has done to the router (such as setting up a WiFi password) would be lost. The attacker could leave the router in an initialized state and hope that the user would overlook the fact that the settings were lost and reset them.
JTAG is a standard that hardware engineers use to get access to devices and services that are implemented in hardware. It could be used to forcibly load a firmware onto a router or to get access to the administrator console by bypassing the login screen.
However, using JTAG is a complicated process. To use it you must physically get access to the circuit board inside the router’s case. That means opening it up and attaching the wires and probes necessary to access what you need. Depending on the circumstances and the availability of the time with the device, this may be an optimal solution.
Real Spy Stuff
When we normally think about hackers, we know that there are real limits to the kinds of things that they can do. Sure, they can cause havoc, but there are some technological or social barriers that are so daunting that even the best hackers would have trouble overcoming them.
But when we talk about the CIA doing the hacking, we can imagine that some barriers can be avoided.
If our goal is to update someone’s router with tainted firmware designed to spy on them, there’s a very simple solution that’s often available–the TR-069 protocol. This protocol is designed to enable an ISP to automatically update the firmware of the devices that it has provided to its customers. What stops an ordinary hacker from taking advantage of this protocol and infecting everyone’s router? (1) The attacker is not the ISP and (2) the attacker can’t impersonate the ISP.
Maybe we’ve watched one too many spy thrillers, but in that world, it’s easier for these barriers to disappear. A single agent strategically placed at an ISP could have many methods to enable infecting routers with surveillance malware. Alternatively, a single agent strategically placed at a Certificate Authority could provide the agency with the credentials to easily and seamlessly impersonate an ISP (or more simply, convince a surveillance target’s router that it is the ISP so it can update the router).
If any of these things were to happen, someone’s router could be silently changed to spy on him or her. There would be no traces and it would be nearly impossible to detect.
So What Does It All Mean?
The documentation that was found in Vault 7 makes it very clear that the CIA has been hacking home routers for the purpose of performing surveillance on individuals. The strategies and techniques for doing this are different from the typical router hacker who’s mostly interested in controlling large numbers of home routers. The large-scale attacks on routers have all been accomplished by taking advantage of simple techniques (e.g. default passwords, exploiting simple known vulnerabilities, etc.). But an attack on an individual must address technological obstacles that may require a bit of cleverness.
Is the CIA Spying on ME Using My Router?
This is a great question and the answer is: … we don’t know…. yet. It would be great to be able to very simply determine whether the firmware in your router contains Cannoli, but we currently don’t know how to do this. There’s simply not enough information in what’s been released to find out. We hope that as more technical information is released, the inner workings of components like Cannoli can be understood, and tools to detect it can be developed.
But we’re not there yet. Stay tuned.
So What Do You Think?
This is a story that will likely continue for quite some time as WikiLeaks makes more information available. When they do, we’ll analyze it and update our blog to reflect what’s currently known about spying on home routers.
We’d love to hear what you think about all of this. Send us a note with your thoughts to firstname.lastname@example.org.