WikiLeaks released a new batch of documents belonging to the Vault 7 leak, the files provide details related to the Cherry Blossom framework which is being used by the CIA cyber spies to hack into Wi-Fi devices.
The framework was developed by the CIA, along with experts at the Stanford Research Institute (SRI International), for hacking hundreds of home router models.
The Cherry Blossom framework was developed under the ‘Cherry Bomb’ project.
Cherry Blossom is a remotely controllable firmware-based implant for wireless networking devices, it could be used to compromise routers and wireless access points (APs) by triggering vulnerabilities to gain unauthorized access and load the custom Cherry Blossom firmware.
“The Cherry Blossom (CB) system provides a means of monitoring the internet
activity of and performing software exploits on targets of interest. In particular, CB is
focused on compromising wireless networking devices, such as wireless (802.11) routers
and access points (APs), to achieve these goals” states the user manual.
“An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest.” reads the CherryBlossom — Users Manual (CDRL-12).
“The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection,” WikiLeaks says.
The CherryBlossom is composed of four main components:
CIA cyber spies use Cherry Blossom framework to compromise wireless networking devices on the targeted networks and then run man-in-the-middle attacks to eavesdrop and manipulate the Internet traffic of connected devices.
FlyTrap could perform the following malicious tasks:
According to the documents, the CherryTree C&C server must be located in a secure sponsored facility and deployed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
The documents include a list of more 200 router models that CherryBlossom can target, experts noticed that most of them are older models from various vendors, including Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.
For the full list of devices in included in a WikiLeaks document .
Below the list of release published by Wikileaks since March:
(Security Affairs – Cherry Blossom, CIA)