WikiLeaks publishes CIA methods to hack into routers

WikiLeaks has put a new publication in its Vault 7 series online. This revolves around the CIA’s Cherry Blossom project, which focuses on exploiting vulnerabilities in routers and access points, for example to carry out man-in-the-middle attacks.

The CIA describes Cherry Blossom in one of the documents published by WikiLeaks as a means of monitoring Internet activity and carrying out software exploits on targets. “CB is primarily focused on invading wireless network devices such as routers and access points to achieve these goals.”

The documents describe how network devices can be provided with custom firmware, wirelessly or remotely, to make so-called FlyTraps. These FlyTraps connect to CherryTree, a command & control server. In doing so, information about the status of the network device is transferred, which CherryTree collects in a database. The server can also send commands to the network device and a CIA employee can perform the administration via browser interface CherryWeb.

In man-in-the-middle attacks, the CIA can use a FlyTrap to scan network traffic for email addresses, chat names, MAC addresses and VoIP numbers. All network traffic can also be intercepted and users of the network can be redirected to exploits with browsers. In addition, a FlyTrap can set up VPN tunnels to VPN servers for direct access to client devices on the network.

Part of the publication is an overview of routers and access points, including whether there is a possibility to update the firmware wirelessly and whether an exploit can retrieve the administrator password. This is the case, for example, with the DLink DIR-130 with firmware v1.12 and the Linksys WRT300N with version 2.00.08, noted HackerFantastic.