CIA Firmware Hacked Popular Wireless Routers Since 2007

For the past decade, the CIA has been able to infiltrate scores of models of wireless routers, gaining access to connected devices from which agents could copy Internet traffic, steal passwords or redirect unwitting users to other sites.

Existence of the so-called “Cherry Blossom” firmware modification program is alleged in the latest dump of purportedly top secret CIA cyber exploits from WikiLeaks, dubbed “Vault 7.”

The CIA has never publicly acknowledged the programs nor authenticated the Vault 7 documents.

Among the companies whose wireless routers have reportedly been compromised are Motorola, Linksys, Dell, Netgear, US Robotics, Belkin, Asus, Buffalo, DLink and Senao.

“The Cherry Blossom (CB) system provides a means of monitoring the Internet activity of and performing software exploits on targets of interest,” the WikiLeaks documents state. “In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points…to achieve these goals.”

Cherry Blossom relies on implanting altered versions of the products’ firmware, either by intercepting the physical product between the manufacturer and the retailer or – remotely – during operations posing as wireless upgrades.

“This technique does not require physical access but typically does require an administrator password,” the documents state.

“Some exploitation tools…have been created to determine passwords for devices of interest,” the instructions go on. “If the device is using wireless security (e.g., WEP or WPA), then these credentials are required as well.”

The firmware can also be delivered to devices that do not allow for firmware upgrades over wireless links.

“To workaround this issue, ‘Wireless Upgrade Packages’ have been created for a few devices of interest,” according to the manual. “In some cases, the Wireless Upgrade Package also can determine the administrator password.”

The latest documents, entitled “Cherry Bomb: Cherry Blossom User’s Manual,” indicates the program was started Jan. 9, 2006, with help from the Stanford Research Institute International.

For cases requiring a more sophisticated delivery method, there’s “Claymore,” which includes all of the above features, plus additional wrinkles.

“Claymore can run in a mobile environment (i.e. on a laptop) or in a fixed environment with a large antenna for longer ranges,” the documents state.

An implanted device is known as a “FlyTrap” and communicates via beacon with a CIA-controlled server known as CherryTree (CT).

“The CT will respond with a Mission that tasks the FlyTrap to search for target emails, chat users, or MAC addresses in the network traffic passing through the device,” the documents state.

An operator can monitor data about the progress of the exploit, launch missions or perform system administrator tasks via a browser interface called “Cherry Web.”

“FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the FlyTrap’s WLAN/LAN for further exploitation,” the documents state. “The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).”