Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Communications Security Wireless Networking Government Privacy

CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models (bleepingcomputer.com) 107

An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.
This discussion has been archived. No new comments can be posted.

CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models

Comments Filter:
  • by Anonymous Coward

    Defense attorneys must be salivating at this news, right? The fact that so many different router models are exploitable just screams "reasonable doubt." Hundreds of different models of routers are affected. If the CIA could find and exploit these vulnerabilities, so could other people. Anyone being charged with a computer crime that doesn't have a physical nexus (e.g. DPR getting fake passports in the mail) should point to this information and say see, my router was hackable, anyone in the world could have

  • by Anonymous Coward on Thursday June 15, 2017 @09:27PM (#54630173)

    For example Tomato, DD-WRT, OpenWRT, and all the variants that are so popular on commodity hardware.

    • by hashish ( 62254 ) on Thursday June 15, 2017 @09:43PM (#54630229)

      Did you actually read the article?
      They are replacing the existing firmware with a new version with 'extra' functionality.
      The people who would not notice are the ones who would use the system out of the box and would not notice a hard reset. I am guessing a custom firmware users would notice.

      • by Shatrat ( 855151 )

        Honestly, I probably wouldn't unless they did it badly. If there was a hard reset I would assume a power issue while I wasn't looking. If they didn't change the function or the admin interface, I probably wouldn't now that my Tomato had been replaced with CherryTomato.

    • by AHuxley ( 892839 )
      AC think of it as a swap out. The device will still work and the user might not notice for a while.
    • by skids ( 119237 )

      The "supported" model list makes it look like they are only targeting default OEM loads. Which makes sense since that's what most people run.

    • I compile my own TomatoUSB based on Toastman source, also I can only access it from intranet via ssh. I check my log from time to time to see if there is any anomaly too.

  • I didn't see anything about DD-WRT flashed routers in the manual.
    So maybe I'm good.

    • by AHuxley ( 892839 )
      The "Claymore" part looks for routers that will be open to such efforts.
  • by johnjones ( 14274 ) on Thursday June 15, 2017 @09:48PM (#54630249) Homepage Journal

    So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?

    This is pretty basic exploit and pretty basic check for the router manufacturers...


  • Been using pfSense for years now, glad to know the FreeBSD life style is still holding up better than commercial consumer bullshit!

  • A long new password won't help the device.
    FlyTrap then connects to CherryTree.
    Mission then sends down the tasks to the device.
    CherryWeb is the GUI that looks over the new network.
    Windex alters the computers browsers i.e. malware.
    A copy of networked data via a new VPN.
    Years of access.
  • by Anonymous Coward

    This is certainly "unauthorized access to a computer system". So we're going to see people going to prison for this, right? Like I would, if I did something like that? ..... right?

    • You forget... there are two sets of rules:

      One for those who *make* the rules

      Another for the rest of us.

      Governments can murder, steal, defame and generally do many things that, as individuals, we would be prosecuted and perhaps even forfeit our lives for.

      And who says that power doesn't corrupt?

  • by Anonymous Coward

    Good to see ubiquiti isn't on the list

  • by WaffleMonster ( 969671 ) on Friday June 16, 2017 @01:25AM (#54630901)

    Page 24...

    "Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."

    Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?

    • by Anonymous Coward

      The CIA is forbidden from operating in the US. So much for rules and laws.

      • The CIA is forbidden from operating in the US. So much for rules and laws.

        Yep. They have dirt on you and everyone else, too. It doesn't even have to be dirt, but just data, which can be misconstrued to frame any person quite readily, for just about any kind of claimed legal transgression.

        The innocent should be just as afraid as the guilty.

        If this snooped-upon group of Americans includes members of the House and Senate, who make the laws controlling the CIA, then they have your government by the balls, and there is nothing anyone can (safely) do about it.

        Ignorance is freedom.

      • by AHuxley ( 892839 )
        AC read up on Operation CHAOS and operating in the US. https://en.wikipedia.org/wiki/... [wikipedia.org]
  • Sounds like some obscure porn activity.

  • by jonwil ( 467024 ) on Friday June 16, 2017 @04:12AM (#54631357)

    Lets hope the absence of Netgear from the router list means my Netgear DGN2200M isn't vulnerable...

  • Was the CIA using it on routers in the US? That would be worth leaking - it would be a spy agency breaking all the rules to spy on Americans. I thought Wikileaks was for whistleblowers. Giving away the agency's secret tools isn't whistleblowing, it's treasonous. The public is not served by this. If anything, it puts the American people at a disadvantage.

    Snowden blew the whistle on NSA wrongdoing. This isn't wrongdoing, it's the toolset of a public security agency that wasn't using them to violate th

  • Did a quick scan of the attached user manual and from the table of contents, alone, I'm skeptical of its authenticity...

    If the (U) and (S) of items in the table of contents refer to (Unclassified) or (Secret) classifications, then the author of the document should have their security clearance revoked.

    Whenever a document contains multiple classifications, the document as a whole is classified at the strictest level; for example, if you have a document that is comprised of all Unclassified material ex

Promising costs nothing, it's the delivering that kills you.