WikiLeaks emits CIA's Wi-Fi pwnage tool docs

Spies do spying, part 78: Cherry Blossom malware gobbles up data flowing through routers

cherry blossom

Hundreds of commercial Wi-Fi routers are, or were, easily hackable by the CIA, according to classified files published today by WikiLeaks.

The confidential US government documents describe the Cherry Blossom project, which is the framework by which CIA operatives can subvert wireless routers; install software that harvests email addresses, chat usernames, MAC addresses and VoIP numbers; and allow man-in-the-middle attacks and browser redirection.

We're told Cherry Blossom, or at least version 5 of it, allows agents to infect both wireless and wired access points by installing a firmware upgrade dubbed FlyTrap that can be put on the device without needing physical access to it.

Flytrap can monitor internet traffic through the router, redirect web browser connections to websites that the CIA wants a target to see, proxy a target's network connections, and harvest and copy data traffic. It then sends it all back to a command and control system called Cherry Tree.

"The key component is the Flytrap, which is typically a wireless (802.11/WiFi) device (router/access point) that has been implanted with CB firmware," the documents state.

"Many wireless devices allow a firmware upgrade over the wireless link, meaning a wireless device can often be implanted without physical access. Supported devices ... can be implanted by upgrading the firmware using a variety of tools/techniques."

According to the documents, Cherry Tree servers are located in secure locations and run on Dell PowerEdge 1850-powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM. Infections can also be managed via a web portal called Cherry Web. Fedora 9 was released in 2008, which gives you an idea of how far back this tech dates, and how many years it may have been in use.

The documents state that the surveillance software can usually be installed remotely, and includes tools for ferreting out an administrator's password for the device if it is stored internally to aid the process. It also says the malware can be installed in a "supply chain operation," presumably meaning the CIA can preinstall it on a new router by getting its hands on the hardware before it is delivered – something the NSA also does.

Installations of the Cherry Blossom framework can also be aided by a tool called Claymore, which is specifically designed to seek out and find Wi-Fi routers that can be hacked. Claymore can be run from a standard laptop and sent out using an ancillary aerial for longer-range pwnage.

WikiLeaks claims that the Cherry Blossom project was developed with the US nonprofit Stanford Research Institute, but there's little evidence beyond one mention in the documents. SRI hasn't returned a request for comment. ®


Biting the hand that feeds IT © 1998–2017