Wikileaks Exposes CIA Cherry Blossom Firmware Hack For WiFi Routers

WikiLeaks has published secret documents belonging to the United States government that reveal the Central Intelligence Agency (CIA) has been building and maintaining cyber tools designed to compromise wireless routers. These tools are the work of the CIA's hacking unit called Engineering Development Group. Among them is a specialized firmware referred to as Cherry Blossom.

"The wireless device itself is compromized by implanting a customized Cherry Blossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. Once the new firmware on the device is flashed, the router or access point will become a so-called FlyTrap," WikiLeaks explains.


Once the specially crafted firmware is installed on a target router, a remote actor is able to monitor any online traffic going to and from the device, including passwords and other data. Cherry Blossom essentially turns a wireless router into a spying device. The firmware also allows a remote actor to redirect the user's browser, sniff out email addresses and phone numbers, and more.

There are no shortage of router models that can be exploited with Cherry Blossom—one of the documents lists over 200 router models, though many of them are older units. The leaked document itself does not contain a date, however some of the individual manuals are dated between 2006 and 2012. One of the latest manuals lists 25 different devices from 10 different manufacturers, including Asus, Belkin, Buffalo, Dell, D-Link, Linksys, Motorola, Netgear, Senao, and US Robotics.

CIA Seal
Image Source: Flickr (Global Panorama)

"In general, once a make, model, and hardware version of a device is supported, it is straightforward to implant any later firmware versions, or international firmware versions, so long as the device has not changed its underlying hardware or operating system," one of the documents states.

Routers are popular points of infection because it serves as a central hub for all Internet traffic going to and from a particular network. Many models are also vulnerable to relatively easy exploits, which also makes them an attractive target for spying agencies.

Whether or not Cherry Blossom is still effective today is not clear. However, even if the CIA is no longer using Cherry Blossom, it is probably a safe bet that it has developed a replacement.