YOUR WI-FI ROUTER, sitting in the corner of your home accumulating dust and unpatched security flaws, provides an attractive target for hackers. Including, according to a new WikiLeaks release, the CIA.
On Thursday, WikiLeaks published a detailed a set of descriptions and documentation for the CIA’s router-hacking toolkit. It’s the latest drip in the months-long trickle of secret CIA files it’s called Vault7, and it hints at how the agency leverages vulnerabilities in common routers sold by companies including D-Link and Linksys. The techniques range from hacking network passwords to rewriting device firmware to remotely monitor the traffic that flows across a target’s network. After reading up on them, you may find yourself itching to update your own long-neglected access point.
Routers make an appealing entry point for hackers, the CIA included, in part because most of them offer no easily accessible interface or performance giveaways when they’ve been compromised. “There’s no sign to tell you whether your router is hacked or not—you’re just on the internet as normal,” says Matthew Hickey, a security researcher and founder of the firm Hacker House, who’s analyzed the documents. “The only thing is that everything you’re doing on the internet is going through the CIA.”
According to the leaked documentation, the CIA’s router-hacking killchain seems to start with a tool called Claymore, which can scan a network to identify devices and then launch the CIA’s router-hacking exploits. The leaked files cite two specific exploits, named Tomato and Surfside. Tomato appears to target vulnerabilities in at least two routers sold by D-Link and Linksys, and is designed to steal those devices’ administrative passwords. The files also note that at least two other routers sold by Linksys could be targeted with Tomato after a few more “manweeks” of development.
The files don’t explain Surfside in any detail, or exactly how the Tomato exploit works, though the documentation hints that it may abuse a protocol called UPNP that security researchers have long warned represents a security liability. It’s not clear if the vulnerabilities that the exploits attack still exist in devices, or if the manufacturers have fixed them, given that WikiLeaks’ Vault 7 files appear to date to early 2016 at the latest. (Neither D-Link nor Linksys responded immediately to a request for comment.) Even if they’ve made a patch available, though, the difficulty of updating router firmware means vulnerabilities often go unaddressed at the consumer level for years. Hickey also notes that the default admin password often resides printed on a sticker on the back on the router; for models on which Tomato or Surfside don’t work, physical access could.
With those credentials, a CIA hacker can then install their own custom firmware, which it calls Flytrap, on a victim’s router. That malicious firmware can monitor the target’s browsing, strip the SSL encryption from web links they click, and even inject other exploits into their traffic, designed to offer access directly to the target’s PC or phone. Yet another piece of software, called CherryTree, serves as a command-and-control system for those hacked routers, allowing operators to monitor and update the infected network devices from a browser-based interface called CherryWeb.
Given the general insecurity of the average home router, it shouldn’t come as a surprise that one of the world’s most well-resourced spy agencies has exploited them for surveillance. But the details of those hacking tools should, if nothing else, serve as a reminder to patch your own home router, as frustrating a process as that may be.
Hacker House’s Hickey says that if users stay vigilant in keeping their router updated, there’s no direct evidence in the CIA leak that their router would be vulnerable to the agency’s spying. But given that most users don’t frequently update their routers, and consumer antivirus software doesn’t track router malware either, WikiLeaks’ release demonstrates just how much of a hacking bonanza the world’s Wi-Fi access points may offer to capable hackers. “Almost every home has a wireless router, and we don’t have many tools to check what’s going on on those devices,” Hickey says. “So it’s quite a stealthy way to get malware into someone’s home.”