Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
case in the most likely scenario where the WAN has been configured for DHCP. In any
case, it is probably a good idea to have at least one PoP with a static IP address assigned
in each Mission (for Periodic Beacons) and when the firmware image is formed (Initial
Beacon).
12.5 (S) Windex Action Occurs Only on First HTTP GET Request of
Root URL
(S) The Windex Action occurs only on the first HTTP GET request on a root URL (e.g.
http://www.google.com) that occurs after the initial Target detection. If the Target does
not go to a root URL, he will not be exploited.
12.6 (S) Non-Deterministic Beacon Timing
(S) The precise time a Flytrap will send its next Beacon (and hence be able to retrieve a
new Mission), is non-deterministic for a few reasons. First, Flytraps are typically
operating “in the wild”, and so the Sponsor has no control over when the device is
powered-on or connected to the internet. Second, Beacons can be configured to depend
on a “Traffic Requirement” being met (see 15.2). A Beacon would not be sent unless a
certain ambient network traffic threshold were met, which cannot be determined a priori.
12.7 (S) Firmware Upgrade Will Remove Implant
(S) If the Flytrap undergoes a successful firmware upgrade, the Cherry Blossom implant
will be lost. Much discussion with the Sponsor was had over how to handle this (e.g.,
always fail, remove firmware upgrading facility, simulate a real upgrade and report
success even though the firmware was not upgraded). In the end, it was decided that to
meet the requirement of “Minimal Interference with Normal Device Operation or Look
and Feel” (see 5.2.3.14), the manufacturer’s firmware upgrade facility should not be
tampered with.
(S) A few devices support a firmware-configurable (see 6.3 and 15.5.2) “Firmware
Upgrade Inhibit” option. The Belkin F5D8231-4 v4 firmware 4.00.16 , Linksys
WRT300Nv2 firmware 2.00.08, and Linksys WRT54GL firmware 4.30.11 ETSI all
support an upgrade inhibit option wherein the user is always presented with a
manufacturer’s error message when an upgrade is attempted.
122
SECRET//20350112