Menu
What's new
By:
Filters Better Search

Ars: Advanced CIA firmware can turn home routers into recon slaves

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Only people like RMerlin may be able to justify if router firmware has possible backdoor to allow those firmware injections, unless the backdoor is in a closed source part of the firmware.
It might be too simple said: if you don't have to hide anything, then don't worry.
Backdoors are there from the moment doors are invented, the locksmith was always able to open locked doors but he never opens all doors in town.
Another comparison you must keep in mind: the postman could read every letter he has to distribute, how many letters does the read during the day?
Do you know how many footprints you leave behind on Internet and what the value of these are?
 
So I wonder if we need to start reflashing the firmware every so often?

pfsense seems to not be affected based on reddit. I guess it is good I am running pfsense now.

I still have a Cisco RV320 router which I have not used in a while.
 
RMerlin said:
The issue here however is the fact that they can use an exploit to gain root access to your router, and flash a modified version of the firmware. Or so they claim.

There are quite a few things however that sound odd with this whole Cherry Blossom report. For instance, flashing a modified firmware would imply that anyone accessing the webui would see a different version. It's unlikely that they have modified images for every single version available, both stock and third party.

It's much more likely that what they could do is inject new routes within a running firmware rather than flat out replace the existing firmware. Unlike a Cisco router, a webui makes it VERY easy to notice that you're not running the original firmware.

If I didn't know better, I'd start wondering whether this Cherry Blossom is actually real or not. Too many of their claims simply make no sense to me. Another example, their document claim that it's easy to inject into a compromised device even if the firmware has been updated. That would imply that whatever security hole they use to inject themselves couldn't be patched by a firmware update - a claim I strongly disbelief.

Let's also not forget the fact that this is based on a 5 years old document...
Click to expand...

Could be like cell-phones with plenty of places to hide tiny amounts of code. Even a microSD has a processor and memory.
 
aolone said:
among them ASUS.
How does this affect Merlin asuswrt?
http://www.zdnet.com/article/cia-ha...i-fi-routers-for-years-leaked-documents-show/
Click to expand...

If the CIA reflashed your currently installed firmware with theirs, you would know it quite easily. Unlike with, say, Cisco IOS, those home routers have a web interface, with a lot of unique visible elements that would be different if you were to flash a different firmware on top of it.

There's a lot of FUD and dubious claims in this whole document and its media coverage. I'm starting to get close to calling BS on it, to be honest.
 
Threska49 said:
Could be like cell-phones with plenty of places to hide tiny amounts of code. Even a microSD has a processor and memory.
Click to expand...

Hiding code isn't that hard, and definitely in the realms of possibility. However, that document claim they REFLASH the firmware. That's not the same thing at all.
 
RMerlin said:
What digital signature? Router firmware are not signed... And if there were, then it would mean there would be NO third party firmware possible.

Careful what you wish for...
Click to expand...

Agreed - and having signed code might not eliminate attacks against the running software - shellcode is one example, and /tmp needs to be writable...

In-memory attacks are becoming more prevalent these days, and there, nothing would be written into the file system, even on relatively secure platforms (yes, I include Win10 in that bucket).

Signed code itself would not protect against such attacks.

My concern is that state actors are hoarding ZeroDay exploits, and this puts everyone at risk.
 
coxhaus said:
pfsense seems to not be affected based on reddit. I guess it is good I am running pfsense now.
Click to expand...

Only against this attack - there might be others that have not been disclosed - to the credit of the pfSense team, they jump on vulns pretty fast....

Same would go for the OpenWRT folks...
 
RMerlin said:
There's a lot of FUD and dubious claims in this whole document and its media coverage. I'm starting to get close to calling BS on it, to be honest.
Click to expand...

Concur... it's getting a bit overblown...

The concern here is that the exploit was not in the vendor code, but upstream from the Chipset's SDK that many use - hence the wide exposure.

And many of the affected platforms are end-of-support...

At least with some of the Asus devices - both the OEM and the 3rd party community sustain these platforms for the long term.
 
I agree with Merlin and so too with sfx2000 that the problem lies at the infected chipset level and not the software. There is no end to this.
 
Why go for individual routers when you can plug in to something like LINX in the UK and copy all international packets to X or from Y? I suspect this report is FUD
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
D News [Ars] Critical takeover vulnerabilities in EOL'd D-Link NASes are being exploited General Network Security 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 607 (members: 14, guests: 593)
Top