> If users believe their router firmware may have been compromised, Linksys recommends that users download the latest available firmware from http://www.linksys.com/support/ and update your router.
Is there a hardware feature that makes the firmware boot secure in a way that prevents the firmware from interfering with the update? Such as croning itself to reinstall the compromise when you're not looking? Or lying that it updated?
Linksys security guy here - we got that firmware update tidbit from the cherryblossom documentation.
The firmware implant (aka flytrap) reproduces all of the router's normal functionality. On page 122 of the cherryblossom docs, it says that the firmware upgrade feature is implemented normally by the flytrap, and that if a user attempts to upgrade their router's firmware, it will overwrite the flytrap firmware.
On the basis that most linksys owners never touch or upgrade their firmware, why aren't linksys (and other manufacturers) products shipped with a physical hardware 'read-only' switch for the firmware to prevent unauthorised remote upgrades?
Hey man- professional courtesy here: "if linksys users believe their routers are compromised" is possibly the worst way to frame this. You should flatly advise users to update.
Given that there is a chance for things to go wrong, I wonder what's the real-world success rate of firmware upgrades performed by nontechnical users? Is it worth it when most devices very likely aren't infected?
Didn't really have any other choice. We had tons of users calling in last week panicking over what to do about cherryblossom.
Without a sample of the implant or confirmation from the CIA that the documents are legitimate & unaltered, this advisory is pretty much all we can do for those users.
One good reason I can think of is to have something for leakers to leak that isn't based in reality.
Or: the CIA leaked it intentionally as smoke-screen.
I don't know. Are there organisational silos within intelligence agencies? Layers of access? It's hard to know for sure, but I'm yet to see a human organisation that doesn't have political in-fighting.
There should have never been management access enabled by default via WAN or WLAN on ANY router to be honest. In a misguided effort to make their consumer devices more 'friendly'[1] they've just made them more insecure.
--
[1] Even though most users have no idea the management interface even exists.
It's a tough call. The comms companies who provide my router provide millions of them. They want ACS/TR-069 by default and use it for automated updates.
I always disable it, but I'll bet I'm something like 1:10k in that respect.
Sorry I thought you meant an easy way. You could with a jtag interface, but even then the filesystem would have been modified from normal operation so the image of the firmware you dumped would have a different hash than the stock image. You could extract the filesystem and check the binaries and poke around for thing that shouldn't be there, but all this isn't exactly something the average person could do to see if they were infected. If you have the equipment and expertise definitely. Honestly these companies need to step up their game and just make better products in my opinion. It's not like the technology isn't available.
I wonder if a factory reset is enough in all cases - the source for the factory reset has to be on the device itself.
I haven't played with it much, but there are ways to persist after a reset on Android, I'd assume the same is possible here. Very happy to be corrected.
Anyone know what the cheapest Linksys I could buy is, and whether these vulnerabilities have been released publicly?
> Anyone know what the cheapest Linksys I could buy is, and whether these vulnerabilities have been released publicly?
To be clear, the main "vulnerability" is just ability to get physical access and re-flash the devices with a custom firmware which allows the access to the target network. The best defense would be locking down the router physically and setting a strong password for the admin portal.
A factory reset _is not_ enough. A factory reset will just clear a part of the NVRAM that holds configuration - any firmware implant will still be on the device.
There were no vulnerabilities included in the cherryblossom leak. The firmware implant deployment instructions included in the leak don't mention using any vulnerabilities either.
Almost all of the devices listed in the cherryblossom leak are not being sold anymore.
If the security of your router is of concern to you I would recommend setting up your own FreeBSD+pfSense router.
Another option is to setup a vpn server that all your devices connect to to access the internet. In that scenario it won't matter if your router is compromised because all traffic flowing through would be encrypted.
PFSense runs PHP as root. Let that just sink in for a second, does that sound like a recipe for security?
Nevermind the community, when it comes to vaguely complex things like IPTV and similar, support is either legacy or gone.
At this point OpenWRT is the only sane choice, at least it doesn't run everything as root and isn't going to shove off Multicast UDP packet forwarding support in the next year or two.
Yeah, I'd think it would take a reflash to get rid of the compromise, since the compromise is implemented by means of firmware replacement to begin with.
Probably your cheapest bet on the supported device list (ca. p27 of the PDF on Wikileaks) would be a WRT54G v5. The GL models have some support as well, but last I checked they had a relatively high used value, presumably for their hackability - the G models are much more limited.
i'm not saying it's happened here, but i'd imagine with router firmware (because it's not too large) it'd be pretty cheap to have a copy of the factory firmware and settings in a physically read only storage of some kind
You're correct in some cases. My last "consumer" router was a TP Link Archer D9 and doing a factory reset only restored the last flashed version of the firmware - so that partition was writeable during updates at least.
So ... the latest available firmware for mine is from jan 2016. Clearly there would be no fix in that firmware. So the idea is that I'm installing a known/assumed/hoped "good" firmware, to replace the potentially bad firmware. Yes?
(And the latest available is newer than what's on my router now, so might as well.)
Yes, not an exploit - just a modified firmware that they might have installed if they broke in via other means (physical or wifi cracking for example).
There were no vulnerabilities included in the cherryblossom leak.
If you have any information about RCEs, Cherryblossom details we may have missed, or any other vulnerabilities in Linksys devices, please email me directly at benjamin.samuels at belkin.com
"This customized firmware can be loaded onto a router using one of the following methods:"
If I understood things correctly, the Cherryblossom thing is a firmware and while this particular leak didn't mention any new RCEs I am surprised a bit that the possibility of using any other RCE was categorically ruled out by the wording of the advisory.
> If users believe their router firmware may have been compromised, Linksys recommends that users download the latest available firmware from http://www.linksys.com/support/ and update your router.
Is there a hardware feature that makes the firmware boot secure in a way that prevents the firmware from interfering with the update? Such as croning itself to reinstall the compromise when you're not looking? Or lying that it updated?
Linksys security guy here - we got that firmware update tidbit from the cherryblossom documentation.
The firmware implant (aka flytrap) reproduces all of the router's normal functionality. On page 122 of the cherryblossom docs, it says that the firmware upgrade feature is implemented normally by the flytrap, and that if a user attempts to upgrade their router's firmware, it will overwrite the flytrap firmware.
On the basis that most linksys owners never touch or upgrade their firmware, why aren't linksys (and other manufacturers) products shipped with a physical hardware 'read-only' switch for the firmware to prevent unauthorised remote upgrades?
That makes entirely too much sense. They already have the hardware in the form of the WPS button which no one uses.
Hey man- professional courtesy here: "if linksys users believe their routers are compromised" is possibly the worst way to frame this. You should flatly advise users to update.
There's no patch. The fix is just to reflash Linksys firmware to make sure you're not running compromised firmware.
Given that there is a chance for things to go wrong, I wonder what's the real-world success rate of firmware upgrades performed by nontechnical users? Is it worth it when most devices very likely aren't infected?
Perhaps I'm missing something, but are you saying you trusted that the malware documentation is correct?
Didn't really have any other choice. We had tons of users calling in last week panicking over what to do about cherryblossom.
Without a sample of the implant or confirmation from the CIA that the documents are legitimate & unaltered, this advisory is pretty much all we can do for those users.
Didn't you have an infected target to test against?
Understood. Thank you. It makes sense that you would move on this urgently and confirm it's success only after.
Yeah this is a bit worrying. But since it was leaked, this actually doesn't seem so bad. What incentive would the CIA have to lie internally?
One good reason I can think of is to have something for leakers to leak that isn't based in reality.
Or: the CIA leaked it intentionally as smoke-screen.
I don't know. Are there organisational silos within intelligence agencies? Layers of access? It's hard to know for sure, but I'm yet to see a human organisation that doesn't have political in-fighting.
Download from non-TLS site, yeah, what could go wrong.
Sadly true.
because the CIA couldn't create fake certs?
Not without more risk of being caught.
The key question would be whether certificate transparency was involved.
Need something with a TPM, like an Onhub/Google Wifi.
Yes, I was speaking to these routers in particular.
Because if they don't have this, then this is bad security advice against what is considered a targeted attack.
You can disable management via the WAN port and/or wi-fi if you put OpenWRT on them.
There should have never been management access enabled by default via WAN or WLAN on ANY router to be honest. In a misguided effort to make their consumer devices more 'friendly'[1] they've just made them more insecure.
--
[1] Even though most users have no idea the management interface even exists.
It's a tough call. The comms companies who provide my router provide millions of them. They want ACS/TR-069 by default and use it for automated updates.
I always disable it, but I'll bet I'm something like 1:10k in that respect.
I don't mind it being on WiFi. But yeah, public facing management port is insane.
> If users believe their router firmware may have been compromised,
What would make them believe that? Wish they had a detection tool as well. Anyone know of one?
I wonder if there are easy way to dump the firmware and do a sign / hash check on another machine
Not really. Devices like consumer routers just weren't designed with these things in mind unfortunately.
Not even with some jtag line ?
Sorry I thought you meant an easy way. You could with a jtag interface, but even then the filesystem would have been modified from normal operation so the image of the firmware you dumped would have a different hash than the stock image. You could extract the filesystem and check the binaries and poke around for thing that shouldn't be there, but all this isn't exactly something the average person could do to see if they were infected. If you have the equipment and expertise definitely. Honestly these companies need to step up their game and just make better products in my opinion. It's not like the technology isn't available.
I wonder if a factory reset is enough in all cases - the source for the factory reset has to be on the device itself.
I haven't played with it much, but there are ways to persist after a reset on Android, I'd assume the same is possible here. Very happy to be corrected.
Anyone know what the cheapest Linksys I could buy is, and whether these vulnerabilities have been released publicly?
> Anyone know what the cheapest Linksys I could buy is, and whether these vulnerabilities have been released publicly?
To be clear, the main "vulnerability" is just ability to get physical access and re-flash the devices with a custom firmware which allows the access to the target network. The best defense would be locking down the router physically and setting a strong password for the admin portal.
A factory reset _is not_ enough. A factory reset will just clear a part of the NVRAM that holds configuration - any firmware implant will still be on the device.
There were no vulnerabilities included in the cherryblossom leak. The firmware implant deployment instructions included in the leak don't mention using any vulnerabilities either.
Almost all of the devices listed in the cherryblossom leak are not being sold anymore.
If the security of your router is of concern to you I would recommend setting up your own FreeBSD+pfSense router.
Another option is to setup a vpn server that all your devices connect to to access the internet. In that scenario it won't matter if your router is compromised because all traffic flowing through would be encrypted.
PFSense runs PHP as root. Let that just sink in for a second, does that sound like a recipe for security?
Nevermind the community, when it comes to vaguely complex things like IPTV and similar, support is either legacy or gone.
At this point OpenWRT is the only sane choice, at least it doesn't run everything as root and isn't going to shove off Multicast UDP packet forwarding support in the next year or two.
OpenWRT definitely has quirks, and my vendor thinks spawning hundreds of socat processes is acceptable in production firmware: https://forum.turris.cz/t/ever-increasing-leaking-nuci-proce...
Yeah, I'd think it would take a reflash to get rid of the compromise, since the compromise is implemented by means of firmware replacement to begin with.
Probably your cheapest bet on the supported device list (ca. p27 of the PDF on Wikileaks) would be a WRT54G v5. The GL models have some support as well, but last I checked they had a relatively high used value, presumably for their hackability - the G models are much more limited.
i'm not saying it's happened here, but i'd imagine with router firmware (because it's not too large) it'd be pretty cheap to have a copy of the factory firmware and settings in a physically read only storage of some kind
You're correct in some cases. My last "consumer" router was a TP Link Archer D9 and doing a factory reset only restored the last flashed version of the firmware - so that partition was writeable during updates at least.
So ... the latest available firmware for mine is from jan 2016. Clearly there would be no fix in that firmware. So the idea is that I'm installing a known/assumed/hoped "good" firmware, to replace the potentially bad firmware. Yes?
(And the latest available is newer than what's on my router now, so might as well.)
Yes, not an exploit - just a modified firmware that they might have installed if they broke in via other means (physical or wifi cracking for example).
Isn't this a lie though? They do not mention remote compromise and I would bet dollars to doughnuts most old routers have RCE holes.
There were no vulnerabilities included in the cherryblossom leak.
If you have any information about RCEs, Cherryblossom details we may have missed, or any other vulnerabilities in Linksys devices, please email me directly at benjamin.samuels at belkin.com
"This customized firmware can be loaded onto a router using one of the following methods:"
If I understood things correctly, the Cherryblossom thing is a firmware and while this particular leak didn't mention any new RCEs I am surprised a bit that the possibility of using any other RCE was categorically ruled out by the wording of the advisory.
Url changed from http://bitsonline.com/linksys-remove-cia-tools/, which points to this.