A recent Wikileaks document dump revealed that the CIA has been hacking wireless routers. The documents suggest it has been going on for years and as many as 25 devices from 10 different manufacturers were targeted.
The documents list ten brands whose routers had been compromised: Asus, Belkin, Buffalo, Dell, Dlink, Linksys, Motorola, Netgear, Senao and US Robotics.
This latest leak included user manuals and installation guides for a number of hacking tools. One of them, dubbed CherryBlossom, let the CIA monitor a target’s internet activity, redirect their browser and scan for information.
“CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on targets of interest. In particular, CherryBlossomis focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals,” WikiLeaks explains.
“The wireless device itself is compromized by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap. A FlyTrap will beacon over the Internet to a Command & Control server referred to as the CherryTree. The beaconed information contains device status and security information that the CherryTree logs to a database. In response to this information, the CherryTreesends a Mission with operator-defined tasking. An operator can use CherryWeb, a browser-based user interface to view Flytrap status and security info, plan Mission tasking, view Mission-related data, and perform system administration tasks.”
The FlyTrap (compromised router) can be instructed to:
- Scan for certain things in the passing network traffic (e.g. email addresses, chat usernames, MAC addresses, VoIP numbers) to trigger additional actions
- Copy the target’s full network traffic
- Redirect the target’s browser (for example, to sites that host exploits from applications and/or operating systems) or proxy the target’s network connections
- Set up VPN tunnels to to a CherryBlossom-owned VPN server to give an operator access to clients on the Flytrap’s WLAN/LAN for further exploitation.
Judging by the initial creation date of the Cherry Blossom user manual and installation guide, at least some of the capabilities were available to CIA agents since 2006.
The initial compromise of the routers was executed through two exploits (codenamed Tomato and Surfside), which exploit device vulnerabilities and the fact that they use Universal Plug and Play (UPnP) technology to make them more easily discoverable and configurable.