Linksys security guy here - we got that firmware update tidbit from the cherryblossom documentation.

The firmware implant (aka flytrap) reproduces all of the router's normal functionality. On page 122 of the cherryblossom docs, it says that the firmware upgrade feature is implemented normally by the flytrap, and that if a user attempts to upgrade their router's firmware, it will overwrite the flytrap firmware.

On the basis that most linksys owners never touch or upgrade their firmware, why aren't linksys (and other manufacturers) products shipped with a physical hardware 'read-only' switch for the firmware to prevent unauthorised remote upgrades?

That makes entirely too much sense. They already have the hardware in the form of the WPS button which no one uses.

Hey man- professional courtesy here: "if linksys users believe their routers are compromised" is possibly the worst way to frame this. You should flatly advise users to update.

There's no patch. The fix is just to reflash Linksys firmware to make sure you're not running compromised firmware.

Given that there is a chance for things to go wrong, I wonder what's the real-world success rate of firmware upgrades performed by nontechnical users? Is it worth it when most devices very likely aren't infected?

Perhaps I'm missing something, but are you saying you trusted that the malware documentation is correct?

Didn't really have any other choice. We had tons of users calling in last week panicking over what to do about cherryblossom.

Without a sample of the implant or confirmation from the CIA that the documents are legitimate & unaltered, this advisory is pretty much all we can do for those users.

Didn't you have an infected target to test against?

Understood. Thank you. It makes sense that you would move on this urgently and confirm it's success only after.

Yeah this is a bit worrying. But since it was leaked, this actually doesn't seem so bad. What incentive would the CIA have to lie internally?

One good reason I can think of is to have something for leakers to leak that isn't based in reality.

Or: the CIA leaked it intentionally as smoke-screen.

I don't know. Are there organisational silos within intelligence agencies? Layers of access? It's hard to know for sure, but I'm yet to see a human organisation that doesn't have political in-fighting.

Download from non-TLS site, yeah, what could go wrong.

Sadly true.

because the CIA couldn't create fake certs?

Not without more risk of being caught.

The key question would be whether certificate transparency was involved.

Need something with a TPM, like an Onhub/Google Wifi.

Yes, I was speaking to these routers in particular.

Because if they don't have this, then this is bad security advice against what is considered a targeted attack.

You can disable management via the WAN port and/or wi-fi if you put OpenWRT on them.

There should have never been management access enabled by default via WAN or WLAN on ANY router to be honest. In a misguided effort to make their consumer devices more 'friendly'[1] they've just made them more insecure.

--

[1] Even though most users have no idea the management interface even exists.

It's a tough call. The comms companies who provide my router provide millions of them. They want ACS/TR-069 by default and use it for automated updates.

I always disable it, but I'll bet I'm something like 1:10k in that respect.

I don't mind it being on WiFi. But yeah, public facing management port is insane.