Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

5 (U) System Operation
(S) This section discusses operation of the CB system. It is assumed that the following
have been successfully completed:
CherryTree/Web installation and configuration on a server with internet access
PoP installation and configuration. See “Cherry Blossom Installation Guide” for
instructions on how to configure a PoP.
A CB-supported device has been discovered and identified for implant (using
Claymore or other tools/intelligence), or a CB-supported device has been
procured (for supply chain scenario)
A CB Production Release Firmware or Wireless Upgrade Package has been built
with suitable parameters for the device of interest (see CBUM for device support).
If Claymore will be used to perform the implant, then this firmware has been
loaded into the Claymore system.
5.1 (S) Implanting a Wireless Device
(S) There are four general methods for getting a Flytrap implant onto a wireless device,
some of which are device-specific (the CBUM contains detailed information on device
support and upgrade procedures):
Use the Device’s Firmware Upgrade Web Page over a Wireless (WLAN)
Link – this technique does not require physical access but typically does require
an administrator password. Some exploitation tools (for example Tomato and
Surfside) have been created to determine passwords for devices of interest. If the
device is using wireless security (for example WEP or WPA), then these
credentials are required as well.
Use a Wireless Upgrade Package – some devices do not allow a firmware
upgrade over the wireless link. To workaround this issue, “Wireless Upgrade
Packages” have been created for a few devices of interest. In some cases, the
Wireless Upgrade Package also can determine the administrator password.
Use the Claymore Tool – the Claymore tool is a survey, collection, and implant
tool for wireless (802.11/WiFi) devices. The survey function attempts to
determine device makes/models/versions in a region of interest. The collection
function can capture wireless traffic. The implant function can perform wireless
firmware upgrades and incorporates the exploitation tools (for determining
administrator passwords) and Wireless Upgrade Packages (for devices that don’t
allow wireless firmware upgrades). Claymore can run in a mobile environment
(i.e., on a laptop) or in a fixed environment with a large antenna for longer ranges.
See the “Claymore User’s Manual” for more information.
Use the Device’s Firmware Upgrade Web Page over a Wired (LAN) Link
this technique would likely be used in a supply chain operation.
(S) If the firmware upgrade is successful, the device (now a Flytrap) will send its Initial
Beacon after meeting the Initial Beacon criteria that have been built into the firmware
image (see CBUM for detailed description of Flytrap Beacon logic).
9

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh