The Poisoned Cherryblossom

CIA spies on router, cherryblossom wikileaks vault7CherryBlossom – Spring, Japan, drifts of fragrant clouds come to mind. But here, there’s the CIA. Wikileaks are known for their subversive public service of releasing hacked government files containing information which, they feel, the public has a right to know. They have been steadily releasing astounding documents, including those from the CIA’s ‘Vault7’ documents.
CherryBlossom is another such. On June the 15th, Wikileaks released the CherryBlossom files. These documents provide a complete guide to how to use the product, from system requirements, to a 175 page quick start guide, installation guide, various WiFi devices, and diagrams and models as to how to operate it.

Why CherryBlossom?

CherryBlossom is a monitoring framework devised by the CIA with their friends at the Stanford Research Institute (SRI), as part of a project called Cherry Bomb. It is so named because its victim devices can be seen as little blossoms on the ends of boughs, on branches of the home CherryTree. So what is it for?

CherryBlossom is a type of firmware. For the layperson, firmware is the type of software which is used to programme devices, as opposed to applications software like word-processors or spreadsheets, which are used to store and manipulate any input. Firmware can be anything from BIOS to make your computer get up and go, to the operating software which enables your washing machine to run various washing cycles.

So if CherryBlossom is firmware, which devices is it instructing, and to what end? Well, the CIA is casting random flies for trout again. What they do is infiltrate the wireless devices in the environment (this can be at your office, in a public space like an airport, or even the router in your home, sweet home), because – God Bless America! – they might just pick up something compromising.

As we’re all aware, intelligent devices require frequent updates – think of your cell phone – and we are so accustomed to them gathering these when we’re attached to a WiFi connection, that we seldom think to check what is entering our digital door. Of course, your device may try to block CherryBlossom, but, as point 5.1 (S) of the CherryBlossom Quick Start Guide instructs, using the devices firmware upgrade webpage, the need for required administrator passwords, can be bypassed with Tomato or Surfside. The guide is nothing if not practical. Otherwise, you can use wireless upgrade packages, pusch your way in with Claymore, or use a LAN link to ‘upgrade’ devices in a supply chain operation.

Right! Now we’re in. Once the firmware has been compromised, the device (now styled a ‘Flytrap’) sends a beacon signal including security information and device status to the CherryTree, which adds it to a database. The CherryTree is the central commanding operations post for this activity. It can be remotely accessed via a CherryWeb remote terminal by authorised parties.

The CherryTree then allocates a ‘Mission’ to the Flytrap device, according to the type of information the Tree wishes to harvest. This can include email contacts, online account user names and VoIP numbers; redirecting traffic to unsavoury websites; using your device to deliver malware to connected devices; recording your network traffic, and even establishing VPNs to better establish connections with your contacts.

And the scary part? The CIA has been spying on networks using CherryTree since 2007. That’s ten years of lost privacy.

Echelon, what’s that? The espionage story behind the name

Echelon in Bad Aibling, Gernamy

Echelon will mean nothing to the ordinary, normal citizen. Only those who are closely connected with it would then perhaps not be surprised about what is behind it and that there could even be such a thing as Echelon. Echelon, is the name of a world-wide espionage network. It is operated by the GCHQ, the Government Communications Headquarters, under the leadership of the US and UK intelligence services. However, Australia, New Zealand and Canada also play a vital role in this operation.

Echelon in Misawa
Echelon in Misawa, Japan

How long it has been going on for, is somewhat vague. Its roots most certainly go back to the time of cooperation between the intelligence services of the US and Britain over 70 years ago,  just after the Second World War. That association was called UKUSA, and was then also joined by the above mentioned 3 states and it got the nickname Five Eyes. Over the course of time, intelligence services from eight other countries joined the forces. Their task has been and still is, to provide the interception technology and switching points in the form of, originally, antenna systems and, today, of satellites and monitoring stations on the ground.

This makes it possible to listen into the mobile telephone system, the internet data traffic going through the transceiver cables on the ocean floor, satellite and microwave communication systems. Echelon, as a programme, was created in the latter part of the 1960s as a way of keeping an eye on the Soviet bloc during the Cold War. It was formalised by 1971. However, as with the Internet which started out as DARPANET and then ARPANET, as it shed its military rainson d’etre, by the turn of the last century, Echelon had turned its interest to civil matters … its eyes now focused on such as business and private information. Big Brother was firmly in business.

Now, espionage is nothing new. Recently, espionage has only become somewhat simpler and has become more comprehensive since the world has developed and networked very technologically. And that makes it easier for Echelon to have its eyes and ears everywhere. So the difference is, whereas espionage (because it was harder to operate) used to concentrate on the more important types of knowledge such as military secrets, or important technologies, these days, can be, and is, carried out on…well, anyone, really.

Echelon CFS Leitrim
Echelon at Canadian Forces Station Leitrim, CA

Echelon can actually listen into all current information technology data lines available and evaluate gathered information on a huge scale. In its beginnings, Echelon’s efforts were directed toward the East, to the USSR and its allies. Today, it is said, Echelon is used against terrorism and drug smuggling. But it would be naive to believe that such a sophisticated and networked thing like Echelon would only be used for that.

Back in 1976 a certain Winslow Peck pointed to the espionage system and then again in 1988, following Lockheed employee Margaret Newsham‘s revelation to congress that the National Security Agency (NSA) was recording the telephone calls of a US senator, journalist Duncan Campbell was a key figure in the unveiling of Echelon. His article „Somebody’s listening“ published in the New Statesman on 12 August 1988, named Echelon as a programme, and discussed its information-gathering skullduggery.

In 1996, New Zealander Nicky Hager revealed the role that New Zealand played in Echelon. He also asserted that Echelon had by then moved from defensive to industrial espionage. Finally, the documents of Eduard Snowden really confirmed the always suspected extent of Echelon and its espionage activities. There is no reliable information on the exact scope and nature of the interception measures due to the secrecy on the part of the operators. The data are evaluated fully automatically in huge data centers.

In 2001, the European Parliament launched a huge investigation, as Echelon was also suspected of being used for economic espionage. What emerged was that Echelon was indeed used to spy on non-military targets indiscriminately.

Echelon in Menwith Hill, Yorkshire, UK
Echelon in Menwith Hill, Yorkshire, UK

Government agencies and companies around the world were also carefully monitored. The EU’s investigation confirmed the existence of Echelon finally. And, of course, the British intelligence service played a great role here. A station in Menwith Hill, Yorkshire is an important base, especially as an outpost for the American NSA.

Echelon in Germanys Bad Aibling
Echelon in Germanys Bad Aibling

But even in Germanys Bad Aibling, Echelon had its ears. So the EP’s final report recommended comprehensive measures to curb mass data monitoring. These included the recommendation that states use encryption to protect themselves from such mass surveillance, which seems, according to most reports, to rely, though not solely, on the interception of satellites. In the same year, the Guardian quoted American James Bamford’s fear that Echelon would become a kind of secret police, from which there would be no defence for the victim.
And, in spite of everything that had long been known, conspiracy theories were wiped out over and over again – there surely would not be, could not be such a worldwide automated monitoring system that could spy on anyone. In the meanwhile, the conspiracy fringe maintained that Echelon had spied on people as disparate as Kofi Annan and Ban Ki-Moon on one hand, and Diana, Princess of Wales on the other.

Between total denial in one camp and wild surmise in the other, opinion ranged widely. It was only in June 2013 that Edward Snowden’s published collection of information revealed what the NSA and its friends were really up to. The documents clearly show that Echelon exists, how it works and how it could work in the dark for so long. The documents prove that Echelon has collected and analysed everything indiscriminately, especially by tapping the huge global fiber-optic communications links. However, a large-scale test carried out by opponents to reveal this kind of espionage ended up quite sobering. Snowden’s records do not contain any hints that the NSA had already listened to the world anything like as much as it does today.

Some of the satellites from the “old” Echelon program were dismantled. I guess communication via satellites isn’t as important as undersea cables.

Encryption, why do we need it?

In principle, the answer is simple: for the same reason that we lock our doors or curtain our windows – to protect us from unwanted visitors or observers with bad intentions. Knowing stuff about the people around you has always had its advantages.

To gain this information, in the past, letters were intercepted, conversations were overheard, and people were observed. In substance, nothing has changed – it’s just that the possibilities to puncture people’s privacy have become much wider – scarily so. We may look to technology for ways to enhance our freedom – look at the Arab Spring – but it also makes possible just as many opportunities to spy on us. The thing is that internationally, privacy laws are great at covering the old media. There is newer legislation governing telecommunications and our brave new cyber world of e-traffic. However, when it comes to digitization, new technology is evolving so swiftly that the law is like a dog running after a bus, with little chance of catching it.

And who protects you when it’s that same law-making government which decides that its interests come before your privacy? Communication law has always hinged on balancing rights to privacy, anonymity, autonomy and free association, with the public interest and safety.
So, although these laws are supposed to protect us, practically, the government can overrule them, claiming that it’s in your best interests. This means that Joe Public can be subjected to surveillance anywhere, anytime, with no warning or reason supplied. It’s Big Brother.

So encryption methods are no longer only needed by those with something to hide when they transmit data, but the rest of us as well, who just want to rest assured that we’re not living under an all-seeing eye. Your cell phone is a cool way of keeping contact with your friends across the globe, but it also niftily triangulates your position. So the tech that supplies you with ultra-local weather information also allows an interested agency to track you. Those online searches that gather information to target you with useful advertising? They form a neat little goodie bag of your personal info for companies to sell to the highest bidder.

Because encryption is a complex issue, many lay-people see it as exotic; not for the man in the street. However, with the amount of monitoring performed, through everything from tracking buying-habit data, to downright spying, one cannot rely on other people’s honesty to guarantee you the privacy promised in the constitution. In the digital arena, you have to play an active role in ensuring the encryption of data into your own hands.

To put it simply: Encryption is what guarantees your privacy and protects your transmissions against manipulation. Since digitization has penetrated so deeply into all of the control areas of business and society, sufficiently strong encryption is the only protection against digital terrorism. That’s how important encryption has become for individuals.

Encryption protects our data. Medical, financial, insurance… stored locally on a personal computer or out there in the cloud, or just as it zips across from your computer to your broker’s. It protects conversation, whether video, voice or text messages. It guards our privacy and our anonymity. This is important to all, not just to journalists, and political and rights activists who use information professionally. It protects our data from interference at all levels: from crime and industrial espionage, to nosy neighbors and family members. It guards our data from malicious attack and misuse of data gathered from lost or stolen mobile devices.

With increasingly fierce competition in the market, information is gaining in importance, and its misuse and exploitation can have serious consequences. Misuse of sensitive information can have unpredictable consequences for your business. This alone makes encrypted mobile communication a necessity for modern entrepreneurs.
Electronic cash and electronic/internet banking are only viable if sufficient, current security and authentication methods are embedded. These must be independent of state intervention, since all it takes is one disgruntled employee, or one with a vast debt owing, to use his or her security clearance to make a little cash on the side with customer credit card details. Then there are the hackers…

Right now, encryption is still the best privacy-preserving technology that we have. It is our best chance at protection from the mass of cyber surveillance, which, on one hand capacitates governments to control their citizens, and on the other, allows criminals to seek out vulnerable victims.
Efforts by governments to reduce security to enable monitoring.

Since the emergence of data and the information society, the secret services no longer limit their activities to letters and wire-tapping: Since the adoption of various laws regulating telecommunications services in most countries globally, data services, mobile telephones and other electronic communications facilities are also included in the monitoring process.

In August 2014, Germany‘s the “Digital Agenda” was published. It contained a chapter on

“Security, Protection and Trust for Society and Business”.

This stated:

“We support more and better encryption. We want to be the # 1 encryption site in the world. Therefore, the encryption of private communication in the main should become a standard.”

However, six months later, the International Forum on Cybersecurity declared:

„Authorities must be empowered and able to ‘decrypt or circumvent’ encrypted communications.”

It said:

“If the operator protects the messages entrusted to him for transmission by means of technical measures against unauthorized third-party access, he must have an interface… provide access to the unprotected messages”.

Law, therefore, mandated created artificial weaknesses. Public authorities such as courts, customs, police and constitutional protection have relatively free, indeed almost uncontrolled, access to private data. And private companies get to help in the fight against crime.

Knowing all this, it seems less paranoid to encrypt your personal data so that your business is shielded from government agency monitoring. As mentioned earlier, websites gather profile information, and cell-phone transmissions enable location tracing. Since you can’t control the data stored by a telecommunications provider, the least you can do is to protect your own data, when you transmit it. This “problem” is well-known to governments who seek to control telecommunication services, and in some states, laws have already been passed that either completely prohibit or restrict encryption.

In the 1990s, the FBI already started the fight to prohibit encryption techniques which did not ensure easy access for law enforcement to crack encrypted messages.

Washington‘s Electronic Privacy Information Center (EPIC) and other rights organizations urged the National Institute of Standards and Technology to ensure the evolution of

“secure and resilient encryption standards, free from back doors or other known vulnerabilities.”

Their fear was that the National Security Agency (NSA) would lean on standard-setters to allow monitoring of private communication. EPIC previously advised NIST not to support for the random number generator algorithm that the NSA had compromised. EPIC also made recommendations that NIST ensure public awareness of the NSA‘s extensive interference in the Cybersecurity Framework. EPIC President Marc Rotenberg raised the alarm, testifying before Congress back in 1989 – that the NSA would influence NIST encryption standards. EPIC’s 1999 report found that countries with strong domestic controls on the use of cryptography are mostly countries with little respect for human rights. These included China, Vietnam and Russia. It reported a trend towards relaxing restraint on encryption. By 1997, France had abandoned the Escrow system, while other countries rejected it outright. Internationally, the UN Special Rapporteur on Freedom of Expression supported strong encryption and anonymity tools. Its finding was that encryption and anonymity are essential to enable rights of expression and opinion. EPIC has lobbied the UN to support these aims, since, as they say,

„In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy.”

EPIC previously urged the UN to support secure, anonymous communications, stating,

“In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy.”

Further down the line, government is still at it. In 2014, Director Comey of the FBI was still arguing for ‚broken encryption‘ to enable monitoring of private citizens by law enforcement departments. Efforts have been made to restrict use of the Clipper Chip to only one state-approved encryption system. EPIC argues for strong encryption measures, and petitioned then President Obama to resist encryption-weakening proposals. EPIC’s stance was championed by Apple’s Tim Cook, who pointed out that if hackers know of a way in to a system, they won’t rest until they discover it. And they normally have more time than security employees.

Some EU law resembles that of the US. In France, once again cryptographic systems are subject to authorization. In Russia, a similar decree prohibits all cryptosystems not licensed by the government, and permits are issued only by FAPSI (successor to the KGB).

Mostly, these prohibitions contradict the demands of a modern economy which requires a cryptographic system secure enough to be trustworthy for confidential data such as bank connections. The record shows that hackers regularly crack or undermine government security standards. It is obvious, therefore, that if government authorities want to keep a Back Door, sooner or later, the Back Door Men will find it.

We are vulnerable – in more ways than ever before. We should – we must – encrypt our data.