Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
9 (U) System Operation
(S) This section discusses operation of the CB system. It is assumed that the following
have been successfully completed:
CherryTree/Web installation and configuration on a server with internet access
PoP installation and configuration. See “Cherry Blossom Installation Guide” for
instructions on how to configure a PoP.
A CB-supported device has been discovered and identified for implant (using
Claymore or other tools/intelligence), or a CB-supported device has been
procured (for supply chain scenario)
A CB Production Release Firmware or Wireless Upgrade Package has been built
with suitable parameters for the device of interest (see section 6 and in particular
section 6.6). If Claymore will be used to perform the implant, then this firmware
has been loaded into the Claymore system.
9.1 (S) Implanting a Wireless Device
(S) There are four general methods for getting a Flytrap implant onto a wireless device,
some of which are device-specific:
Use the Device’s Firmware Upgrade Web Page over a Wireless (WLAN)
Link – this technique does not require physical access but typically does require
an administrator password. Some exploitation tools (e.g., Tomato, Surfside) have
been created to determine passwords for devices of interest. If the device is using
wireless security (e.g., WEP or WPA), then these credentials are required as well.
See section 6.4 for device-specific information on wireless firmware upgrade and
administrator password exploits. See section 16 for firmware upgrade procedures
(both wired and wireless) for all devices that have passed FAT (see 6.2), as well
as default IP addresses and default web interface passwords.
Use a Wireless Upgrade Package – some devices do not allow a firmware
upgrade over the wireless link. To workaround this issue, “Wireless Upgrade
Packages” have been created for a few devices of interest. In some cases, the
Wireless Upgrade Package also can determine the administrator password. See
section 6.4 for device-specific information on Wireless Upgrade Packages
(including if the Wireless Upgrade Package also has an administrator password
exploit). See section 16 for wireless upgrade instructions for devices that require a
Wireless Upgrade Package.
Use the Claymore Tool – the Claymore tool is a survey, collection, and implant
tool for wireless (802.11/WiFi) devices. The survey function attempts to
determine device makes/models/versions in a region of interest. The collection
function can capture wireless traffic. The implant function can perform wireless
firmware upgrades and incorporates the exploitation tools (for determining
administrator passwords) and Wireless Upgrade Packages (for devices that don’t
allow wireless firmware upgrades). Claymore can run in a mobile environment
(i.e., on a laptop) or in a fixed environment with a large antenna for longer ranges.
See the “Claymore User’s Manual” for more information.
Use the Device’s Firmware Upgrade Web Page over a Wired (LAN) Link
this technique would likely be used in a supply chain operation. See section 6.4
47
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh