WikiLeaks releases details of CherryBlossom, a CIA firmware for compromising wireless routers

CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic

As part of the Vault 7 series of leaks, WikiLeaks has put up documents related to CherryBlossom, a CIA project to compromise wireless networking devices, including wireless access points and routers. The CIA installs its own firmware on the routers typically used to give wireless access to devices in homes, offices, hotels, public places and coffee shops. The CherryBlossom architecture is not limited to compromising only wireless routers however, and was built to work equally well on wired routers as well. The documents indicate that the CherryBlossom project was active during 2011-2012.

There are a number of components that make up the CherryBlossom architecture. A compromised router is known as a FlyTrap. The FlyTrap connects to a command and control server known as the CherryTree. The CherryTree keeps a log of the device information and the details of the security patches applied. An operator can access the information in the CherryTree logs through a web based interface known as the CherryWeb. The operator can then set tasks, or missions for the FlyTrap.



The compromised routers can be programmed to call back the CherryTree at a specific time. The FlyTrap can also be used to scan the network traffic for email addresses, MAC addresses, VOIP numbers, or chat handles, which can be triggers for additional tasks. The CherryWeb interface can be used to configure the FlyTrap. The FlyTraps can also be configured to send back alerts to the CherryTree when the FlyTrap detects target activity.

CherryBlossom was designed to work on a number of devices including wireless routers from Cisco, Z-Com, Linksys, Belkin and D-Link. A complete list of affected models can be found here. The CIA tools could be used to install firmware on the devices, in some cases, without physical access to the router. The compromised routers could then be used for man in the middle attacks, or implanting more surveillance tools on connected devices. The compromised routers could be used to manipulate, control and monitor the internet traffic from all the connected devices.

Publish date: June 16, 2017 11:16 am| Modified date: June 16, 2017 11:16 am

Tags: , , , , ,