Apple AirPort not on latest 'Vault 7' list of gear susceptible to factory firmware hack by...

13

Comments

  • Reply 41 of 63
    dysamoriadysamoria Posts: 3,430member

    Has the code for the exploit been released (or how to do it) or was it just a description of the exploit?

    It sounds like you either need physical access to the router, or remote access -which is usually disabled by default.

    It's probably not safe to purchase any of these brands sold through middleman (Amazon/EBay, etc) from now on because they could have been tampered with.

    I bet the router manufacturers are fuming ; )

    These routers security has always been bad... now they're approaching unusable.



    1) No code was released.
    2) You do need physical access to the router -- and they were getting it either in the factory, at retail, or before delivery.
    3) Probably.
    4) Probably.
    This article discusses a few of the vulnerabilities used by the CIA.  But arguably the one we should be most concerned about is called Claymore.

    It involved a network scan tool rather than the need to have physical access to the router...  they still end up replacing your devices firmware once they get access, to track you and collect your online passwords. (Using the other tools)

    FYI

    It's a good idea for everyone to make sure they have the latest firmware installed on their router.  Disable remote administration, disable UPNP, and change the default password.  It may not do any good against the CIA tools, but you'll be safer than doing nothing.  While you're in there you might as well change your Wifi password (these days it should be a pass phrase because it's more secure, and not a password).

    Also if you buy a new router, the first you should do is download (from the manufacturer) and overwrite whatever firmware came installed.

    If you have an old router (and a manufacturer that hasn't updated the firmware) it might be worth while looking into open source firmwares like DD-WRT.  DD-WRT might not be the best choice because of it's Linksys roots but it would be a good place to start researching options.

    As users we have to assume these tools and not just the documentation will be released soon.  What a pain in the ass...


    What about when you have a lousy Verizon DSL unit that has never been updated and seems impossible to find updates for?

    I plan to move to a local cable company for internet (faster for the same price compared to Verizon's garbage). What about those modems? Are they also compromised as being routers likely manufactured by the usual companies?
  • Reply 42 of 63
    The fun part is playing with CIA modified firmware and feeding it garbage ;)
    GeorgeBMac
  • Reply 43 of 63
    dysamoriadysamoria Posts: 3,430member
    razormaid said:
    If Apple knows this then why on Earth are they wanting to kill off Airport Extreme Routers?  I would probably be one of those who rushes out and buys them all up but that would be useless if Apple stop sending out firmware updates once it kills it off.  This doesn't make sense to me.  You'd think they would expand on Airport not kill it off.
    Here's a theory...

    the rules for government eavesdropping are a bit different for the gear used to create the networks than they are for personal devices.  And there are government orders to companies that companies are not allowed to make public; not allowed to speak about.  Combining these two facts, one could theorize that the government might have made a secret order to network gear companies that require them to submit to something akin to the Clipper chip, but just software based.  Terrifying, but maybe plausible.  A company like Apple, rather than submit to such an order, would more likely simply shut down its minor network gear business.  
    Would this not require an act of congress?
  • Reply 44 of 63
    dysamoriadysamoria Posts: 3,430member
    rob53 said:
    ireland said:
    Makes you wonder who the bigger terrorists are.
    We all know the CIA is the largest terrorist organization in the world--and this isn't a political statement, it's a fact! Many Americans won't call them terrorists but everyone outside the USA will so the CIA is a terrorist organization to them.
    Sorry, we all DON'T know the CIA is the largest terror organization in the world. Give me a break. The real world necessitates these agencies, including those in our allied countries working similar problems. Wrongs have been done, many over the years by the the CIA. No excuse can be given for the misuse of such power. Oversight and reform continues. 

    You apparently don't have a lick of knowledge about what goes on outside of the safe and comfortable bubble we all take for granted. These people are heroes and patriots. Rights and freedoms need defending. 
    Not by destroying those same rights and freedoms. I suggest you might be a bit overconfident in the claims of "all the threats we protect you from that you never know about".
  • Reply 45 of 63
    dysamoriadysamoria Posts: 3,430member
    avon b7 said:
    It is ironic that China, taking advantage of European investigation, has successfully tested the base of quantum communication following the pioneering work of Anton Zeilinger and Valerio Pruneri. The Mozi satellite is in the news this week. 

    I wonder how far behind the US and Europe now trail in this filed?

    Although I had a recent visit to a supercomputing centre where they drove home the EU's plans to have it's own homegrown and manufactured processor operational by 2020 in an attempt to provide a higher level of security against cyber attacks.


    Those in the research community have noted that the United States, a few years ago, stopped publishing on the topic.  Their view of that fact is that either the developments underway failed (unlikely as the experiments proving action at a distance have been successful for 20 years, at greater and greater distances, culminating, as far as we know, with China's satellite mission), or that the U.S. development has been spectacularly successful, and so they would naturally keep that result to themselves.  
    Everything I've read about quantum entanglement says that it cannot be used for communication. When did this understanding change?
  • Reply 46 of 63
    AppleZuluAppleZulu Posts: 1,989member
    I've said it before, and I'll say it again, so I can either gloat if I'm right or somebody can rub my nose in it if I'm wrong: I think the just-announced HomePod is going to be one component in Apple's next generation of home networking gear. I think the WWDC announcement was only telling part of the story about what's going to be baked into those things. 

    Pretty much everything Apple sells now is in one way or another network based, and home or office WiFi is a big part of how all those things connect. HomeKit is still something that's not yet fleshed out, but is positioned to set Apple up as the secure way to control all of a home's lights, locks, cameras, thermostats, etc. Now with the possibility of Siri-enabled pods distributed around the home as a means to enable voice control of all those things, it seems inconceivable that Apple would then cede the central position of the router to other manufacturers that will screw up the entire thing with security holes, difficult setup and total disregard for aesthetics. That just makes no sense whatsoever, especially since despite all the rumors, AirPort devices are still being manufactured, sold and getting firmware updates. No, I think Apple is holding that router spot with AirPort, and that there's some next-generation networking device in the works but as of yet unannounced. It would be very Apple-like to have a next-generation router that does everything Airport does, but also controls HomeKit enabled devices, eliminating the current need for many of them to have their own separate base stations. A few HomePods distributed through the house then act as voice controllers, music players, and -importantly- fully secure mesh WiFi extenders, which would greatly enhance the reliability of HomeKit-networked devices, from one end of the house to the other. That vision places Apple at the heart of a secure, fully-functioning networked home. In contrast, the scenario where Apple just lets Airport slowly phase out while others occupy the position of central data network gateway just makes no sense. So we'll see.  
    GeorgeBMac
  • Reply 47 of 63
    irelandireland Posts: 17,798member
    AppleZulu said:
    I've said it before, and I'll say it again, so I can either gloat if I'm right or somebody can rub my nose in it if I'm wrong: I think the just-announced HomePod is going to be one component in Apple's next generation of home networking gear. I think the WWDC announcement was only telling part of the story about what's going to be baked into those things.
    I won’t gloat when you are wrong. I actually hope what are saying is the case. It’s just not typical of Apple. No, I’d say they removed AirPort Express from Apple(dot)com because they are working on a modern tri-mesh networking solution product and Gurman’s story proves innacurate. They continue to sell AirPort Exterme because they’ll need some kind of router product before the new solution is released. 

    Nothing else makes much sense. To say Apple’s wireless group are too busy to design and produce anything new, I just don’t believe that.
    edited June 2017
  • Reply 48 of 63
    avon b7avon b7 Posts: 7,624member
    dysamoria said:
    avon b7 said:
    It is ironic that China, taking advantage of European investigation, has successfully tested the base of quantum communication following the pioneering work of Anton Zeilinger and Valerio Pruneri. The Mozi satellite is in the news this week. 

    I wonder how far behind the US and Europe now trail in this filed?

    Although I had a recent visit to a supercomputing centre where they drove home the EU's plans to have it's own homegrown and manufactured processor operational by 2020 in an attempt to provide a higher level of security against cyber attacks.


    Those in the research community have noted that the United States, a few years ago, stopped publishing on the topic.  Their view of that fact is that either the developments underway failed (unlikely as the experiments proving action at a distance have been successful for 20 years, at greater and greater distances, culminating, as far as we know, with China's satellite mission), or that the U.S. development has been spectacularly successful, and so they would naturally keep that result to themselves.  
    Everything I've read about quantum entanglement says that it cannot be used for communication. When did this understanding change?
    https://m.phys.org/news/2012-09-km-physicists-quantum-teleportation-distance.html

    My understanding is that Europe began dragging its feet over this subject (financing issues I believe) and the Chinese pushed ahead and the Mozi venture seems to have further improved the outlook for further investment.

  • Reply 49 of 63
    razorpitrazorpit Posts: 1,796member
    Soli said:
    Also if you buy a new router, the first you should do is download (from the manufacturer) and overwrite whatever firmware came installed.
    You should do it, but it should be noted that this is not a guarantee of anything. There could be exploits built into the HW or even a rootkit installed that could make wiping the firmware a million times pointless. That isn't to say you should automatically worry about that, but you shouldn't assume that you're completely safe.

    If you're buying from a popular brand name and keep your devices up to date you are statistically more secure than the average person—and not just from wireless routers, but because someone with an antiquated 802.11g router is more likely going to have other antiquated equipment that hasn't been updated in years as well as care less about security, all of which make them easier to exploit.
    The Sony rootkit scandal immediately came to mind. Having the hindsight we have now, how much of a "corporate blunder" was that and did the CIA play a role in it?
  • Reply 50 of 63
    razorpitrazorpit Posts: 1,796member
    slurpy said:
    I would love it if Apple released their own mesh networking system like Eeero, etc. I'd like to pick up one of these (can't stand shit wifi anymore) but would prefer an Apple option. 
    Other than maybe some cool new features how does Eero function any differently than what Apple's routers do? I can walk from floor to floor, room to room, and the handoff between extenders is pretty much unnoticeable. Seems to me like Apple has had this basic functionality for years.
    bluefire1 said:
    Ironically, I bought two of them today (one being an extender) before even seeing this article. The Apple rep in the store suggested a google router and I suggested he use my Apple Pay for two Airport Extremes. There's nothing like an Apple product.
    By the way, setup couldn't have been easier.
    Congrats! After some serious internal debates with myself I bought a new Extreme just last week for my new house. After the success I've have for the last ~ 8 years with Apple routers it almost seems like a slap in the face to purchase another brand.
    bluefire1
  • Reply 51 of 63
    nhtnht Posts: 4,522member
    avon b7 said:
    It is ironic that China, taking advantage of European investigation, has successfully tested the base of quantum communication following the pioneering work of Anton Zeilinger and Valerio Pruneri. The Mozi satellite is in the news this week. 

    I wonder how far behind the US and Europe now trail in this filed?

    Although I had a recent visit to a supercomputing centre where they drove home the EU's plans to have it's own homegrown and manufactured processor operational by 2020 in an attempt to provide a higher level of security against cyber attacks.


    Those in the research community have noted that the United States, a few years ago, stopped publishing on the topic.  Their view of that fact is that either the developments underway failed (unlikely as the experiments proving action at a distance have been successful for 20 years, at greater and greater distances, culminating, as far as we know, with China's satellite mission), or that the U.S. development has been spectacularly successful, and so they would naturally keep that result to themselves.  
    In case our european skeptics won't take your word for this:

    "Marquardt and others suspect, however, that this field could be much further advanced than has been publicly acknowledged, with developments possibly hidden behind veils of official secrecy in the U.S. and elsewhere. It may be that the era of quantum communication is already upon us. “Some colleague of mine made the joke, ‘the silence of the U.S. is very loud,’” Marquardt says. “They had some very good groups concerning free-space satellites and quantum key distribution at Los Alamos [National Laboratory] and other places, and suddenly they stopped publishing. So we always say there are two reasons that they stopped publishing: either it didn’t work, or it worked really well!”"

    https://www.scientificamerican.com/article/china-shatters-ldquo-spooky-action-at-a-distance-rdquo-record-preps-for-quantum-internet/

    One of the more recent Los Alamos papers concluded in 2010:

    "Conclusions: Using the architecture that we have developed, LEO satellite-to-ground QKD will be feasible with secret bit yields of several hundred 256-bit AES keys per contact. With multiple ground sites separated by - 100km, mitigation of cloudiness over any single ground site would be possible, potentially allowing multiple contact opportunities each day. The essential next step is an experimental QC-sat. A number of LEO-platforms would be suitable, ranging from a dedicated, three-axis stabilized small satellite, to a secondary experiment on an imaging satellite. to the ISS. With one or more QC-sats, low-latency quantum-secured communications could then be provided to ground-based users on a global scale. (Air-lo-ground QC would also be possible.)"

    http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-10-06352

    A followup paper in 2013 reporting success in the terrestrial environment and then dead air.
  • Reply 52 of 63
    radarthekatradarthekat Posts: 3,842moderator
    ireland said:
    razormaid said:
    If Apple knows this then why on Earth are they wanting to kill off Airport Extreme Routers?  I would probably be one of those who rushes out and buys them all up but that would be useless if Apple stop sending out firmware updates once it kills it off.  This doesn't make sense to me.  You'd think they would expand on Airport not kill it off.
    Here's a theory...

    the rules for government eavesdropping are a bit different for the gear used to create the networks than they are for personal devices.  And there are government orders to companies that companies are not allowed to make public; not allowed to speak about.  Combining these two facts, one could theorize that the government might have made a secret order to network gear companies that require them to submit to something akin to the Clipper chip, but just software based.  Terrifying, but maybe plausible.  A company like Apple, rather than submit to such an order, would more likely simply shut down its minor network gear business.  
    That’s not how they reacted for their iPhone business.
    That's exactly why I explained that telecommunications gear is under a different set of rules.  
  • Reply 53 of 63
    AppleZuluAppleZulu Posts: 1,989member
    ireland said:
    AppleZulu said:
    I've said it before, and I'll say it again, so I can either gloat if I'm right or somebody can rub my nose in it if I'm wrong: I think the just-announced HomePod is going to be one component in Apple's next generation of home networking gear. I think the WWDC announcement was only telling part of the story about what's going to be baked into those things.
    I won’t gloat when you are wrong. I actually hope what are saying is the case. It’s just not typical of Apple. No, I’d say they removed AirPort Express from Apple(dot)com because they are working on a modern tri-mesh networking solution product and Gurman’s story proves innacurate. They continue to sell AirPort Exterme because they’ll need some kind of router product before the new solution is released. 

    Nothing else makes much sense. To say Apple’s wireless group are too busy to design and produce anything new, I just don’t believe that.
    But they didn't remove Airport Express from Apple.com or from the shelves of your local Apple store. I just checked, and AirPort Express, Extreme and Time Capsule are all available online right now, and when I click "check availability" on each and type in the names of random cities across the country, they're available and in-stock right now at Apple stores everywhere. Whatever the future holds is up to conjecture and educated guesses. For the present, however, these devices are all available, and still supported with periodic security and firmware updates. The original story that Apple was 'abandoning' AirPort was over a year ago, and it generated rumors that they were also discontinuing production. That's clearly not true. So whatever the future holds, Apple has not thus far given up that space. They are still very much in the business of making and selling routers.
    StrangeDays
  • Reply 54 of 63
    joogabahjoogabah Posts: 139member
    rob53 said:
    ireland said:
    Makes you wonder who the bigger terrorists are.
    We all know the CIA is the largest terrorist organization in the world--and this isn't a political statement, it's a fact! Many Americans won't call them terrorists but everyone outside the USA will so the CIA is a terrorist organization to them.
    Sorry, we all DON'T know the CIA is the largest terror organization in the world. Give me a break. The real world necessitates these agencies, including those in our allied countries working similar problems. Wrongs have been done, many over the years by the the CIA. No excuse can be given for the misuse of such power. Oversight and reform continues. 

    You apparently don't have a lick of knowledge about what goes on outside of the safe and comfortable bubble we all take for granted. These people are heroes and patriots. Rights and freedoms need defending. 




    Heros and patriots?  Sending people to black sites overseas for torture?  Real heroic and totally embodies "American values"...  We wouldn't need agencies that have to spy on everyone if America wasn't hell bent on world domination and the imposition of a class based system that increasingly just wants "losers" to die.
  • Reply 55 of 63
    irelandireland Posts: 17,798member
    AppleZulu said:
    ireland said:
    AppleZulu said:
    I've said it before, and I'll say it again, so I can either gloat if I'm right or somebody can rub my nose in it if I'm wrong: I think the just-announced HomePod is going to be one component in Apple's next generation of home networking gear. I think the WWDC announcement was only telling part of the story about what's going to be baked into those things.
    I won’t gloat when you are wrong. I actually hope what are saying is the case. It’s just not typical of Apple. No, I’d say they removed AirPort Express from Apple(dot)com because they are working on a modern tri-mesh networking solution product and Gurman’s story proves innacurate. They continue to sell AirPort Exterme because they’ll need some kind of router product before the new solution is released. 

    Nothing else makes much sense. To say Apple’s wireless group are too busy to design and produce anything new, I just don’t believe that.
    But they didn't remove Airport Express from Apple.com or from the shelves of your local Apple store. I just checked, and AirPort Express,
    You're right. Someone said this earlier. Should have checked.
  • Reply 56 of 63
    bluefire1bluefire1 Posts: 1,301member
    This makes it all the more a shame that Apple has apparently exited the router market (as far as updating them). in all my years, the Airport line has been the easiest (by a country mile) and most reliable routers available. The Airport Extreme and Time Capsule are still listed for sale on Apple's website. The Express, however, is not!
    The Express is available in Apple Stores. It uses the older 802.11n standard vs. the Extreme's newer 802.11ac standard. 
  • Reply 57 of 63
    cti1610cti1610 Posts: 4member
    rob53 said:

    We all know the CIA is the largest terrorist organization in the world--and this isn't a political statement, it's a fact! Many Americans won't call them terrorists but everyone outside the USA will so the CIA is a terrorist organization to them.

    With all due respect, we all know nothing of the sort.  Purporting to speak on behalf of everyone, which necessarily includes me, is presumptuous in the extreme.  The use of absolutes ("all", "everyone") immediately renders the statement quoted above suspect.  So, too, do statements such as "the CIA is the largest terrorist organization in the world" and "it's a fact!" when no supporting facts are provided.  

    I don't know you.  You may be a very nice person.  If you hate the CIA (or NSA, NRO, FBI, CYBERCOM, etc...) for whatever reason, please say that.  You have every right to your opinion, but please recognize that it is just an opinion and don't suggest that we all share that opinion.



  • Reply 58 of 63
    tallest skiltallest skil Posts: 43,388member
    ...CIA details the "Cherry Blossom" firmware modification program, which allowed intelligence agencies to change firmware in a networking company's factories…

    The latest dump from the "Vault 7" data details the program where the U.S. CIA was able to redirect a surveillance target's web traffic, scan for passwords, and monitor site visits from a penetrated router. The two methods of installing the package are either another undetailed tool called Claymore, or through a "supply-chain operation" in the factories or distribution chains themselves.
    Explain how this is constitutional without using phrases and concepts from Orwell. Why aren't we hanging these people en masse?
  • Reply 59 of 63
    SoliSoli Posts: 10,035member
    ...CIA details the "Cherry Blossom" firmware modification program, which allowed intelligence agencies to change firmware in a networking company's factories…

    The latest dump from the "Vault 7" data details the program where the U.S. CIA was able to redirect a surveillance target's web traffic, scan for passwords, and monitor site visits from a penetrated router. The two methods of installing the package are either another undetailed tool called Claymore, or through a "supply-chain operation" in the factories or distribution chains themselves.
    Explain how this is constitutional without using phrases and concepts from Orwell.
    You can start here.


    Why aren't we hanging these people en masse?
    It's funny you say that since you've been very vocal about rallying support for the people that keep for pushing for more control, sanctioned backdoors, increasingly less oversight, and continued stripping of individual rights.

  • Reply 60 of 63
    tallest skiltallest skil Posts: 43,388member
    Soli said:
    You can start here.
    So not constitutional, then.  :p
    you've been very vocal about rallying support for the people that keep for pushing for more control, sanctioned backdoors, increasingly less oversight, and continued stripping of individual rights.
    Nope. Nowhere have I supported those things. I support the Constitution. 
Sign In or Register to comment.