The Central Intelligence Agency can monitor and manipulate incoming and outgoing traffic on your Wi-Fi router, making devices at risk from ten manufacturers.
According to a set of leaked documents on WikiLeaks last week.
CIA’s firmware which infects your router is “CherryBlossom” and is effective on D-link DIR-130 and Linksys WRT300N. Because these two routers can be infected even if they have a strong admin password on them.
Another exploit “Tomato” can steal the passwords from these routers if they are using a feature called universal plug and play. Mostly, the routers have an easy to guess or a default password that is never changed.
Documents say CherryBlossom can affect 25 router models with slight modifications permitting it to cover over 100 devices.
User Manual for CherryBlossom
The documents also include a 175-page brief user manual for Cherry Blossom, that details how it infects and manipulates routers. CherryBlossom turns the router into a FlyTrap that communicates with a CIA-controlled server ” CherryTree”. It sends a beacon to the Cherrytree containing information such as device status and security details.
How it Works
CherryTree sends back a set of instructions with specific tasks for CherryBlossom, tailored to a user. The task can target users based on their IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers.
Tasks such as copying traffic, copying e-mail addresses, chat user names, and VoIP numbers, setting up a VPN that allows access to the LAN network and proxying all network connections are also included.
With the exception of the copied network data, the communications between the CherryTree and the FlyTrap networks are fully encrypted and cryptographically authenticated. The encrypted data has been disguised as a cookie in an HTTP GET request for an image file. Then CherryTree sends a corresponding binary image file.
The process is quite similar to other router malware like DNSChanger which affect thousands of routers across the world.