Q
Manage Learn to apply best practices and optimize your operations.

How can attacks like the Cherry Blossom project be prevented?

With the WikiLeaks Cherry Blossom project, attackers can potentially inject malicious firmware into wireless routers. Expert Michael Cobb explains how to stop it from happening.

WikiLeaks released information on the CIA's Cherry Blossom project, which it alleges was aimed at compromising...

wireless routers and access points to monitor and manipulate the internet traffic of targeted users. What security lapses in wireless router implementations allowed this, and how can attacks like Chery Blossom be prevented?

The WikiLeaks Vault 7 release revealed details of an alleged CIA project to hack wireless routers and access points to monitor, and even control and manipulate, users' internet activity.

Called the Cherry Blossom project, its 175-page user manual details how to abuse weaknesses in the way firmware updates are installed on many routers to inject its own custom firmware. These covert man-in-the-middle attacks may have been occurring since 2007, though it's still not entirely clear which routers have been successfully compromised and to what extent.

Routers direct network traffic to their final destination, passing IP packets between servers, computers, mobile and other networked devices. Given the important role they play, their security is paramount because, if a malicious actor manages to take control of a router, they control all the traffic that passes through it. This effectively turns it into a wiretap and enables them to scan for email addresses, passwords and any data of interest.

Malicious content can also be silently injected into the data stream between a user and the internet to exploit vulnerabilities in the user's applications or operating system.

The Cherry Blossom project can install malicious firmware, even without physical access, as some devices allow their firmware to be upgraded over a wireless link. The real weakness that is exploited, though, is the failure of many routers to validate the digital signature of a firmware update. Even on some enterprise-grade routers that can validate signed firmware, the functionality is not enabled by default. Also, those that rely on MD5 hashes for digital signatures are open to attacks, as MD5 hashes are no longer considered secure.

To mitigate these types of attacks, network administrators should ensure that all routers and access points require administrator rights to update firmware. The default administrator account's credentials should also be changed; in 2016, the Mirai malware targeted internet of things devices using factory default usernames and passwords.

Regular audits should be carried out to ensure any available firmware updates are installed, and the installation should follow a documented process. Routers that don't have the ability to validate the digital signature or checksum of an update before it is installed should be replaced; otherwise, it's trivial for any hacker to load custom malicious firmware. Internal monitoring systems should also flag any unusual or suspicious account activity, as this may indicate that an account or device has been compromised.

Administrators who are concerned that routers may have been a target of a Cherry Blossom project attack should check whether they are mentioned in this list of routers.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

This was last published in November 2017

Dig Deeper on Network device security: Appliances, firewalls and switches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with malicious firmware on wireless routers?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close