Router security issues highlighted by CIA's CherryBlossom project

Firmware router security issues

Experts noted that the major issue exploited by the CherryBlossom project is that many routers do not validate the digital signature of a firmware update.

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said the bigger story than the CIA's involvement is "how requiring digitally signed firmware will prevent this specific attack."

An important thing to note is that with admin level access (which the CIA needs for this) attackers without CIA level budget can achieve most of the same goals

"It's easy. If the router isn't validating digital signatures on the firmware, it's trivial to load custom malicious firmware," Williams told SearchSecurity. "Most routers don't validate signatures. You need enterprise-grade before most of them do it."

However, Bobby Kuzma, security researcher for Core Security, noted that there may be router security issues with enterprise-grade devices not enforcing firmware signing.

"On the enterprise side, the big router manufacturers have offered validation of signed firmware for quite some time. The problem is that it's not enabled by default for the most part, and it requires that a network admin actually go and do something," Kuzma told SearchSecurity. "Both the Cisco and Juniper tools rely on MD5 hashes. MD5 is broken as a hashing algorithm, with several known and feasible techniques for generating identical hashes from wildly different binary content."

John Bambenek, threat systems manager at Fidelis Cybersecurity, said if a malicious actor could control the router, they can control everything.

"I could easily redirect DNS requests to a server I control which would mean I know every domain you look up. I could reroute all of your traffic through a device I control, which means I could set up a wiretap," Bambenek told SearchSecurity. "I could have URLs and passwords sent to a central server. In essence, it turns your home router into an intelligence listening post."

Router security issues beyond firmware signing

Williams noted that loading custom firmware wouldn't even be necessary to perform similar attacks as with the  CherryBlossom project.

"To ever install firmware they need admin level access to the router. If they have that, they can modify the upstream info like DNS (and iptables in many models) and capture traffic on many models with no firmware at all. If I control your DNS, I MitM anything," Williams said via Twitter. "So an important thing to note is that with admin level access (which the CIA needs for this) attackers without CIA level budget can achieve most of the same goals."

Kuzma said that custom firmware allows for additional stealth and "all kinds of fun features that aren't standard."

"Via an implant you could silently redirect traffic, capture traffic as it transits the router, or even use the router itself as a pivot point to relay command traffic to implants elsewhere within a network, and to do so without raising suspicion in the form of logs of remote access," Kuzma said.

Ken Spinner, vice president of field engineering at Varonis Systems, said router security issues should often fall on the manufacturers who have a "ship-it-out-and-update-later mentality," even though many -- especially consumers -- never update router firmware.

"Attacks like these underscore that the perimeter will always have leaks -- and like many of our aging technologies, routers weren't built with security in mind. We've got to be more proactive in planning for attackers breaching the first line of defenses: and therefore have security controls in place to monitor and detect intruders," Spinner told SearchSecurity. "If hackers use something like CherryBlossom to scan for information like passwords, you're going to need security defenses on the inside to make sure that user accounts and access to sensitive information is monitored -- so that you know when a user starts behaving suspiciously or an account is compromised."