CIA could hack your WiFi router, revealed WikiLeaks in its series of leaks Code-named “Vault 7“.
Wikileaks’ Vault 7 reveals that the CIA uses HIVE for this purpose. It’s a multi-platform CIA malware suite and its associated control software. The project provides customizable implants for Windows, Solaris, and MikroTik (its OS is used in Internet routers). The agency exploits vulnerabilities in commonly used WiFi routers such as D-Link and Linksys. Specific techniques may include:
- Hacking network passwords
- Rewriting device firmware
- Remotely monitoring the target’s network traffic
CIA has been hacking Wi-Fi routers and using them as covert listening points for a DECADE, documents reveal https://t.co/AywUXED6EA
— Daily Mail US (@DailyMail) June 20, 2017
How Does It Work?
CIA uses Listening Posts (LP) and Command and Control (C2) systems to communicate with and control CIA implants (similar to the ones used for router hacking). WikiLeaks details the actual process of hacking as follows:
- Implants configured to communicate via HTTPS with the webserver of a cover domain
- A separate cover domain and the infrastructure to handle cover domains
- Cover domain resolves to an IP address that is located at a commercial VPS (Virtual Private Server) provider
- The public-facing server forwards all incoming traffic via a VPN to a ‘Blot’ server
- It is setup for optional SSL client authentication if a client sends a valid client certificate
- The connection is forwarded to the ‘Honeycomb’ tool server that communicates with the implant
- The traffic is forwarded to a cover server that delivers an unsuspicious looking website if a valid certificate is missing
- The Honeycomb tool server receives exfiltrated information from the implant
NOTE: Hive provides implants for the following target operating systems and processor architectures.
When Did The CIA Gain Router-Hacking Capability?
In short, it’s been going on since long, at-least since 2012.
The agency maintains a “covert, globe-spanning force — its own substantial fleet of hackers”.
— WikiLeaks (@wikileaks) June 16, 2017
WikiLeaks notes that “by the end of 2016, the CIA’s hacking division, which formally falls under the agency’s Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware.”
5000+ registered users, that’s a big number.
Which Other Hardware Devices Were Affected?
The customizable implants used to hack routers were also used to infiltrate Microsoft Windows, Solaris, and Linux platforms.
“CIA hacker can install their own custom firmware, which it calls Flytrap, on a victim’s router. That malicious firmware can monitor the target’s browsing, strip the SSL encryption from web links they click, and even inject other exploits into their traffic, designed to offer access directly to the target’s PC or phone,” reports Andy Greenberg of Wired magazine.
A major consequence of CIA and notorious hackers is pretty scary. Not only can your browsing be monitored, the target’s device can also be used to control and exfiltrate data from the router. It’s like infecting a target at the source of his/her online activity.
CIA and other hackers targeting a passive device like a router for mounting cyber attacks are understandable. The routers are not upgraded as frequently as a computer operating system and security vulnerabilities are not fixed early. This leaves the users vulnerable to hacking. A stealthy but an effective way to break into the internet traffic of targets.
When it comes to online surveillance, both NSA and CIA compete with each other to gain leverage by developing hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits.
How To Save Yourself From Router Hacking?
As in the case of other online vulnerabilities, there are some good practices you may follow to save yourself. These include:
- Enable WPA2 (WI-Fi Protected Access)
- Create a Strong SSID Network Name
- Enable Firewall of Your Router
- Enable Logging Feature
- Use a VPN