Sunday, June 18, 2017

Unveiling Router Security Issues by CIA

Gone are the days when Cherryblossom was just a Japanese flower. The term is now used to name a hacking program developed by CIA.

Wikileaks dumped new files in their vault 7 series which contains CIA-made hacking tools.

Cherryblossom (CB), a multi-functional framework that can be used to hack various router models. CB compromises wireless networking devices. Cherryblossom monitors the internet activity by performing several software exploits on targets of interest.

Terminologies used in Cherry Blossom :-

Cherry blossom is a project of the program Cherry Bomb in year 2011-2012. Cherry Blossom used below terms to explain how it works.


Flytrap : A wireless access point that is being compromised.

Mission : Task assigned to a Flytrap.

Cherry Tree : Also know as command post, it controls Missions, Flytrap status alerts etc.

Cherry Web : GUI bases command interface for running on cherry tree.


Beacon : A periodic communication between flytrap and CherryTree.


Target : The user whose activities are being monitored.



         Image source : Original Document

Implanting of  Firmware CherryBlossom.

The Flytrap is implanted with Cherry Blossom firmware, either using Claymore tool or by supply chain operation. Beacons on periodic intervals are shared between operators (CT) and the infected routers.

As per the manual on Wikileaks, Cherry Blossom works by monitoring the Access Points and routers by implanting a firmware and delivering software exploits and the internet activities.
The architecture defined in CB does not limits itself to wireless devices, it can spread to wired devices too. These are monitored using "missions".

Mission type may vary depending upon the target source.

  1. Snooping the traffic from Access points and routers.
  2. Alarming the activity of targets.
  3. Forming a virtual private network to internal network.
  4. Monitoring the activities of wired devices.
  5. Altering communication between different parties that believe they are connected more of an interception.
CherryBlossom uses Linux Based tool "Sundew" to find out the make and model of the wireless device. The scanning is done on the basis of MAC address. A series of tasks are performed to find out make and model of the network nodes.

The hacking tools are developed with the help of a non-profit organisation SRI International, the name can only be seen in one document related to Sundew.

CherryBlossom supports various Router/AP models.

According to the documents from CIA, Flytraps can be installed on wireless routers as well as Access Points. You can find the list of all the vendor that are included in the document below. For full vendor specific list please follow the original release document here.

3Com
Accton
Aironet/Cisco
Allied Telesyn
Ambit
AMIT, Inc
Apple
Asustek Co
Belkin
Breezecom
Cameo
D-Link
Gemtek
Global Sun
Linksys
Motorola
Orinoco
Planet Tec
Senao
US Robotics
Z-Com

Unlike the Shadow brokers last release of the hacking tool, Wikileaks just released the documents related to the same and not the actual tool.

No comments:

Post a Comment