Your Wi-Fi router, sitting in the corner of your home accumulating dust and unpatched security flaws, provides an attractive target for hackers. Including, according to a new WikiLeaks release, the CIA.
On Thursday, WikiLeaks published a detailed a set of descriptions and documentation for the CIA’s router-hacking toolkit and it hints at how the agency leverages vulnerabilities in common routers sold by companies including D-Link and Linksys. The techniques range from hacking network passwords to rewriting device firmware to remotely monitor the traffic that flows across a target’s network. After reading up on them, you may find yourself itching to update your own long-neglected access point.
Routers make an appealing entry point for hackers, the CIA included, in part because most of them offer no easily accessible interface or performance giveaways when they’ve been compromised. “There’s no sign to tell you whether your router is hacked or not—you’re just on the internet as normal,” says Matthew Hickey, a security researcher.
Tomato and Surfside
According to the leaked documentation, the CIA’s router-hacking killchain seems to start with a tool called Claymore, which can scan a network to identify devices and then launch the CIA’s router-hacking exploits. The leaked files cite two specific exploits, named Tomato and Surfside. Tomato appears to target vulnerabilities in at least two routers sold by D-Link and Linksys, and is designed to steal those devices’ administrative passwords. The files also note that at least two other routers sold by Linksys could be targeted with Tomato after a few more “manweeks” of development.
The files don’t explain Surfside in any detail, or exactly how the Tomato exploit works, though the documentation hints that it may abuse a protocol called UPNP that security researchers have long warned represents a security liability. It’s not clear if the vulnerabilities that the exploits attack still exist in devices, or if the manufacturers have fixed them, given that WikiLeaks’ Vault 7 files appear to date to early 2016 at the latest.
Hickey also notes that the default admin password often resides printed on a sticker on the back on the router; for models on which Tomato or Surfside don’t work, physical access could.
YOU MAY ALSO ENJOY: Why the humble router remains one of the most insecure devices in your home
With those credentials, a CIA hacker can then install their own custom firmware, which it calls Flytrap, on a victim’s router. That malicious firmware can monitor the target’s browsing, strip the SSL encryption from web links they click, and even inject other exploits into their traffic, designed to offer access directly to the target’s PC or phone.
Given that most users don’t frequently update their routers, and consumer antivirus software doesn’t track router malware either, WikiLeaks’ release demonstrates just how much of a hacking bonanza the world’s Wi-Fi access points may offer to capable hackers. “Almost every home has a wireless router, and we don’t have many tools to check what’s going on on those devices,” Hickey says. “So it’s quite a stealthy way to get malware into someone’s home.”