Network Security, Vulnerability Management

Vault 7: WikiLeaks dumps reveal CIA’s use of home router exploits

WikiLeaks has released documents detailing exploitation by US intelligence agencies of router vulnerabilities. The group, headed by Julian Assange, released the internal US Central Intelligence Agency (CIA) documents on 15 June.

The newest round of the Vault 7 leaks, a tranche allegedly taken from the CIA's hoard of exploits, came with an allegation that the agency had been using the vulnerability for years to enslave routers.

WikiLeaks wrote in its disclosing blogpost that “such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium-sized companies as well as enterprise offices.”  

The post added, “These devices are the ideal spot for ‘Man-In-The-Middle' attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users.”

The leaked information comes from CherryBlossom, a joint project between the CIA and Stanford Research Institute. The documents detail the CIA's modification of the router's firmware which, dubbed FlyTrap, could monitor internet traffic and search for key pieces of information within it such as “email addresses, chat usernames, MAC addresses and VoIP numbers”.

Moreover, FlyTrap could be installed remotely and would even allow its controller to redirect internet traffic to arbitrary sites.

WikiLeaks' documents detail the CIA's attempts to exploit routers from a variety of manufacturers, such as D-Link and LinkSys.

Much has been made of the practice of vulnerability hoarding in the weeks following the WannaCry attack, which leveraged a vulnerability published by a group called the Shadow Brokers but was originally devised by a group purported to be linked to the National Security Agency (NSA). Intelligence agencies are widely regarded, and in some cases proven, to hoard vulnerabilities for their work.

The issue commonly sparks volatile reactions from government supporters as well as critics.  However, the publication of these vulnerabilities by organisations such as WikiLeaks is also widely condemned.

“Whilst one could argue that WikiLeaks provides a public duty in uncovering issues that would otherwise be kept secret, in regard to Vault 7 the disclosure is reckless,” Graham Mann, managing director of Encode Group UK, told SC Media UK. Organisations like the CIA need to develop secret cyber-weapons, said Mann ,the disclosure of which not only degrades them but offers them to people with less than noble intentions.

“We only have to look at what happened with WannaCry,” added Mann, “to see the potential fallout from leaked government-developed cyber-weapons. The CIA have to improve their internal security, clearly, and find the mole, but WikiLeaks must desist in publishing this information or be forced to, for all our good.”

Ewan Lawson, senior fellow for military influence at the Royal United Services Institute, told SC, “It is unsurprising that an agency like the CIA would seek to exploit the vulnerability and obviously the utility of the exploit is now blown by WikiLeaks.”.

The key to protecting individuals against exploitation, he added, “is whether the vendor is not just releasing appropriate updates [for their products] but actively notifying users of the need to update. I was at an event last week where there was some criticism of MS [Microsoft] that whilst they released a critical update prior to WannaCry, they did not highlight its practical significance.”

The release of this router exploit is merely the latest in the series of Vault 7 dumps, allegedly taken from inside the CIA.

The first dump was called Dark Matter, which was designed to exploit Apple products. It was released by WikiLeaks as the maiden entry into a series of such dumps. Over the following few months, the group has released a new exploit roughly every week, with its most recent entry being Cherry Blossom.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.