How the CIA hacked wireless home routers

For many years, the CIA has had the capability to compromise a wide range of commercial wireless routers, and to monitor, control and manipulate the traffic passing through them, documents leaked by WikiLeaks show.


About the Vault 7 data dump

The documents are part of the Vault 7 data dump, and WikiLeaks claims they originate from “an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia.” Symantec researchers have tied them to “Longhorn,” a cyber espionage group whose activity they have been following for years.

“Prior to the Vault 7 leak, Symantec’s assessment of Longhorn was that it was a well-resourced organization which was involved in intelligence gathering operations,” the researchers noted at the time. “The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups.”

The newly leaked documents

This latest data dump contains system requirement specifications, installation guides, users manuals, lists, and upgrade procedures tied to the Cherry Blossom project.

CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals,” WikiLeaks explains.

“The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTree sends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.”

The FlyTrap (compromised router) can be instructed to:

  • Scan for certain things in the passing network traffic (e.g. email addresses, chat usernames, MAC addresses, VoIP numbers) to trigger additional actions
  • Copy the target’s full network traffic
  • Redirect the target’s browser (for example, to sites that host exploits from applications and/or operating systems) or proxy the target’s network connections
  • Set up VPN tunnels to to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation.

Judging by the initial creation date of the Cherry Blossom user manual and installation guide, at least some of the capabilities were available to CIA agents since 2006.

The initial compromise of the routers was executed through two exploits (codenamed Tomato and Surfside), which exploit device vulnerabilities and the fact that they use Universal Plug and Play (UPnP) technology to make them more easily discoverable and configurable.

The list of vulnerable routers is considerable, and includes offerings by D-Link, Linksys, Belkin, 3Com, Aironet, and other manufacturers.

Whether these vulnerabilities have been plugged in the meantime it’s unknown. But even it they were, most users seldom – if ever – update their routers. As long as they can connect to and use their preferred websites and online services, the overwhelming majority of users wouldn’t even notice if their routers have been compromised.

Don't miss