Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
4 (U) System Description and Definitions
(U) This section presents the system architecture, gives a high-level description of the CB
system, and defines a number of terms used throughout the document.
4.1 (U) Description
(U) The architecture of the CB system is shown in Figure 1. Red boxes are CB
components.
Target
Normal
User
Implanted
Wireless
Device
(Flytrap)
Modem,
Firewall,
etc.
Internet
Point of
Presence
(PoP)
Inter/Intra
net
Sponsor
Firewall
Command &
Control
Server
(CherryTree)
(Red implies Cherry Blossom system component)
Sponsor
Network
Sponsor Exploit Db
Sponsor Target Db
Sponsor Alert System
User
Interface
(CherryWeb)
…
Other Sponsor System
Point of
Presence
(PoP)
Target
Normal
User
Implanted
Wireless
Device
(Flytrap)
Modem,
Firewall,
etc.
Internet
Point of
Presence
(PoP)
Inter/Intra
net
Sponsor
Firewall
Command &
Control
Server
(CherryTree)
(Red implies Cherry Blossom system component)
Sponsor
Network
Sponsor Exploit Db
Sponsor Target Db
Sponsor Alert System
User
Interface
(CherryWeb)
…
Other Sponsor System
Point of
Presence
(PoP)
(S) The key component is the Flytrap, which is typically a wireless (802.11/WiFi) device
(router/access point) that has been implanted with CB firmware. Many wireless devices
allow a firmware upgrade over the wireless link, meaning a wireless device can often be
implanted without physical access. Supported devices (see section 6) can be implanted by
upgrading the firmware using a variety of tools/techniques:
• Using the Device’s Firmware Upgrade Web Page over a Wireless (WLAN)
Link – this technique does not require physical access but typically does require
an administrator password. Some exploitation tools (e.g., Tomato, Surfside) have
been created to determine passwords for devices of interest. If the device is using
wireless security (e.g., WEP or WPA), then these credentials are required as well.
• Using a Wireless Upgrade Package – some devices do not allow a firmware
upgrade over the wireless link. To workaround this issue, “Wireless Upgrade
Packages” have been created for a few devices of interest. In some cases, the
Wireless Upgrade Package also can determine the administrator password. See
section 6.4 for details.
• Using the Claymore Tool – the Claymore tool is a survey, collection, and
implant tool for wireless (802.11/WiFi) devices. The survey function attempts to
determine device makes/models/versions in a region of interest. The collection
8
SECRET//20350112
Figure 1: Cherry Blossom Architecture (S)