CIA Firmware Hacked Popular Wireless Routers Since 2007

For the past decade, the CIA has been able to infiltrate scores of models of wireless routers, gaining access to connected devices from which agents could copy Internet traffic, steal passwords or redirect unwitting users to other sites.

Aldrin Brown, Editor-in-Chief

June 20, 2017

2 Min Read
CIA Firmware Hacked Popular Wireless Routers Since 2007

Brought to you by MSPmentor

For the past decade, the CIA has been able to infiltrate scores of models of wireless routers, gaining access to connected devices from which agents could copy Internet traffic, steal passwords or redirect unwitting users to other sites.

Existence of the so-called “Cherry Blossom” firmware modification program is alleged in the latest dump of purportedly top secret CIA cyber exploits from WikiLeaks, dubbed “Vault 7.”

The CIA has never publicly acknowledged the programs nor authenticated the Vault 7 documents.

Among the companies whose wireless routers have reportedly been compromised are Motorola, Linksys, Dell, Netgear, US Robotics, Belkin, Asus, Buffalo, DLink and Senao.

“The Cherry Blossom (CB) system provides a means of monitoring the Internet activity of and performing software exploits on targets of interest,” the WikiLeaks documents state. “In particular, CB is focused on compromising wireless networking devices, such as wireless (802.11) routers and access points…to achieve these goals.”

Cherry Blossom relies on implanting altered versions of the products’ firmware, either by intercepting the physical product between the manufacturer and the retailer or – remotely – during operations posing as wireless upgrades.

“This technique does not require physical access but typically does require an administrator password,” the documents state.

“Some exploitation tools…have been created to determine passwords for devices of interest,” the instructions go on. “If the device is using wireless security (e.g., WEP or WPA), then these credentials are required as well.”  

The firmware can also be delivered to devices that do not allow for firmware upgrades over wireless links.

“To workaround this issue, ‘Wireless Upgrade Packages’ have been created for a few devices of interest,” according to the manual. “In some cases, the Wireless Upgrade Package also can determine the administrator password.”

The latest documents, entitled “Cherry Bomb: Cherry Blossom User’s Manual,” indicates the program was started Jan. 9, 2006, with help from the Stanford Research Institute International.

For cases requiring a more sophisticated delivery method, there’s “Claymore,” which includes all of the above features, plus additional wrinkles.

“Claymore can run in a mobile environment (i.e. on a laptop) or in a fixed environment with a large antenna for longer ranges,” the documents state.

An implanted device is known as a “FlyTrap” and communicates via beacon with a CIA-controlled server known as CherryTree (CT).

“The CT will respond with a Mission that tasks the FlyTrap to search for target emails, chat users, or MAC addresses in the network traffic passing through the device,” the documents state.

An operator can monitor data about the progress of the exploit, launch missions or perform system administrator tasks via a browser interface called “Cherry Web.”

“FlyTrap can also setup VPN tunnels to a CherryBlossom-owned VPN server to give an operator access to clients on the FlyTrap’s WLAN/LAN for further exploitation,” the documents state. “The CherryTree logs Alerts to a database, and, potentially distributes Alert information to interested parties (via Catapult).”

 

Read more about:

AgentsMSPsVARs/SIs

About the Author

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like