The National Institute of Science & Technology (NIST) is charged with setting standards and communicating those to the public.  Vulnerabilities that have impacted computing devices, allowing for root and permanent take over of routers, servers, tablets, computers and smartphones, among other IOT (Internet of Things) devices, all stem from weak encryption or a lack thereof by devices manufacturers as it relates to the secure update of firmware for hardware devices.  NIST has recommended adopting much more secure AES encryption by manufacturers when incorporating Root of Trust validation of firmware images for peripherals, motherboards and other hardware devices.  Despite this, many manufacturers still lack incorporation of secure encryption algorithms used to validate update firmware as being genuine, leaving many computing devices vulnerable to permanent compromises that can only be remedied by flashing or replacing chips on the motherboard and peripherals that store firmware and can also store malware.

If a computing device has been compromised on the firmware level, it can issue instructions to seek out remote code to infect a newly replace hard drive loaded with a secured operating system.  I spoke to Corey Kallenberg security researcher with Apple, last Fall regarding my analysis and observations involving the Apple OSX platform and asked him what steps could I take to restore my compromised Mac and was told that I needed to replace my motherboard.  Obviously, this is a problem that is beyond most IT security teams ability to remediate.  I am uncertain if Apple has a firmware restoration CD that can be used to rescue a firmware compromised Mac, but have requested one a number of times without any success.A few months after my discussions with Apple research Corey Kallenberg, the Department of Homeland Security issued the first statement on this threat vector to my knowledge in a bulletin they sent out to Industrial Control Systems providers titled, “Malware Trends”, October 2016.  This bulletin disclosed that malware is often being loaded into memory with no ability to detect it on the filesystem stored on the hard drive or other load media.  As we now know, the storage vectors for the malware include the chips onboard the computer’s motherboard and attached peripherals within their microchips.  The bulletin further stated:

“Basic Input/Output System (BIOS) level malware takes a lower level approach than MBR and VBR bootkits, infecting the actual code running immediately after powering on a system. This form of malware is particularly dangerous, as the BIOS has privileged access to hardware on boot. Any code injected into the BIOS could directly affect any aspect of the system by executing at a lower level than any other code on the system.”

The vulnerabilities facing the world today that are making the world subject to never stopping cyber attacks that will not curtail until the hardware manufacturers, chip makers and peripheral makers all take security much more seriously and comply with the U.S. Government’s request via NIST to protect computing devices and equipment with non-crackable encryption (uncrackable only by today’s consumer PC standards) as it relates to the secure loading of firmware updates.  One bad update that is forced onto a piece of hardware due to weak or insufficient cryptographic authentication can permanently leave a device compromised such that future attempts to update the firmware, leave the user a false sense of security by seeing a change of version, but without any of the protection intended.  The advisory further cautioned that hardware once compromised by sophisticated malware may have to be completely discarded.

“What makes this particular form of malware more threatening is that a great deal of remediation techniques—such as reformatting the device, or running entirely off a live disc—do not mitigate the risk. Only fully restoring the BIOS of the motherboard would take it out, a process that IT personnel typically avoid because of a higher potential for costly issues to arise during flashing. Even with this level of remediation, re-flashing assumes that the malware has not modified the internal flashing process during its time on the box, which could make any flashing via software ineffective or destructive and would require specific hardware devices to flash the board directly. Ultimately, this kind of exploitation can easily lead to a full replacement of hardware because of the asset owner’s inability to determine if they have truly eradicated
the malware.“

NIST’s publication http://csrc.nist.gov/publications/drafts/800-193/sp800-193-draft.pdf states on page 22 the vulnerable vectors to include the ROMs, and microchips on USB devices, network controllers and graphic control cards.

“While previous efforts have addressed protection of BIOS (e.g., NIST SP 800-147 [1], NIST SP 800-147B [2]), there remains other security-critical firmware in the platform that has not been addressed. These include option ROMs, management controllers, service processors, firmware on disk/flash drives, network controllers, and graphics processing unit. Protection must also extend to critical data associated with the firmware being protected, as some of this data could be a vector of attack which can compromise the integrity of the platform. “

All of this obviously will lead to much angst for IT security staff attempting to remediate malware that has infected motherboard and other on peripheral hardware microchips.  Recently disclosed efforts by some major health care systems to completely replace the hard drives on malware infected systems may prove to be a major expense that fails to mitigate the problem.

I spoke recently to security researcher, Dragos Rui a researcher that discovered and reported many years ago the potential for a computer’s BIOS to be compromised.  He shared with me that he strongly recommends never sharing any peripheral components, including mice, keyboards, monitors or other USB storage between old and newly purchased computers, since those devices can allow for egress of malware onto newly purchased components.  This is consistent with the recommendations to ICS provider’s in US-Cert’s October 2016 Malware Trends advisory.

Assuming an organization is judicious and refrains from sharing peripherals, there still are other attack vectors that can allow for newly purchased computing devices to quickly become infected in a matter of minutes according to Rui.  Insecure components such as many components made by Realtek can be easily compromised and taken over to change the functioning of those devices.

Router vulnerabilities have been reported recently that impact Cisco and most consumer wifi routers can allow an attacker to upgrade the firmware of these devices such that your router becomes owned by the attacker.  A new computer that connects through one of these devices is highly vulnerable to remote code injection attacks, whereby the compromised router inserts additional javascript into the webpage a user is attempting to access.  Firmware downloads can be modified such that they replace an update to your computing device you attempt to download from the manufacturer’s website with a forged signed update using SHA1 or weaker encryption algorithms.  These firmware updates can then be tricked onto the system by performing NTP (Network Time Protocol) time roll back attacks in which the victim’s computer or hardware device’s clock time is rolled back to a date when the weak encryption signatures are allowed to validate and update the hardware, leaving the device permanently owned if the attack is successful.

Every Neighborhood in the U.S. Is Vulnerable to Router WiFi Implants

Recent disclosures and leaks of information to WikiLeaks of alleged U.S. Government Intelligence Organization Hacking Tools has left everyone vulnerable to cyber attacks.  Further problems can occur when a router has been compromised with leaked Cyber Weapons such as the recently leaked WiFi Router Implant called Cherry Blossom. https://wikileaks.org/vault7/document/WiFi_Devices/

Cherry Blossom reportedly impacts a multitude of WiFi Routers including devices made by:

• 3Com
• Accton
• Aironet
• Cisco
• Allied Telesyn
• Ambit
• AMIT, Inc
• ANI Communications
• Apple
• Asustek Co
• Belkin
• Breezecom
• Cameo
• D-Link
• Epigram
• Gemtek
• Global Sun
• Hsing Tech
• Linksys
• Motorola
• Orinoco
• Planet Tec
• RPT Int
• Senao
• US Robotics
• Z-Com

I suspect all of you reading this have a router that you use at home that is manufactured by one of these WIFI access point makers!

What does Cherry Blossom do?

From my review of documentation posted to Wikileaks, It appears that Cherry Blossom is able to take over most of today’s non-patched consumer WiFi routers such that control of the device is rooted onboard the firmware.  What I find frustrating is that if you were to purchase one of these devices from a local retailer, if would not be patched to protect you against these recently disclosed vulnerabilities, thereby leading you to waste your money in your effort to replace your home router.  You should be able to purchase a router and request that the retailer fully patch the device before you deploy it in a potentially compromised environment.   The router implant accomplishes much of its work by overriding DNS queries and causing MITM (Man In the Middle) attacks to occur on connecting devices which can compromise a secured computer that has been fully patched.  Insertions of javascript code by the compromised router into the end user’s loaded web page can lead to account credential interception, exfiltration of content accessed and even morphing of the page content. Jquery code libraries and javascript can be used to serve end users webpages that are nested within iFrames, allowing for exfiltration of presumably secure page content.

If you have been compromised by Nation State Malware derivatives, or are suspect that there is an intruder on your network, you need to have your devices audited to ensure you are safe.  The key to recovering from today’s nation state derived malware attacks is to ensure you are using hardware secured as recommended by NIST starting with your WiFi router.  If you are unsure if you are vulnerable or not, I recommend using a Internet Privacy VPN service that can initiate a secure connection between your machine and a remote router and can help protect you from code injection attacks if your router has been compromised.  If the computer you are using is compromised, using a VPN will not protect you from having page content intercepted, transmitted, blocked or even morphed.

The Solution to Stop Ongoing Cyber Attacks

• Firmware updates need to be available to businesses, government and consumers that are delivered reliably through other mechanisms than the Internet
• Read only disk media from the OEM’s (Original Equipment Manufacturer) should be available for delivery via mail or purchased from the point of purchase in order to bypass router injection attacks that may keep compromised parties permanently vulnerable
• OEM’s should issue with their update disk media, a tool that validates the firmware presently installed as authentic and not compromised, otherwise infections will persist that remain undetected
• New firmware updates should lockdown the device from time-roll-back attacks of the computing equipment prior to the release date of the firmware so that any future time-roll-back attacks are prevented
• Concerned businesses and consumers should avoid using equipment that hasn’t implemented firmware security and validation as recommended by NIST
• Purchase FIPS Compliant Hardware and avoid sharing devices
• Install effective local and firewall security to block communication ports that spread Nation State derived malware
• Audit your organization’s IT network, don’t simply trust what you have been told