CIA hacked wi-fi router firmware to spy on users

The CIA ran a scheme to develop and deploy compromised firmware for several popular wireless access points to surveil, manipulate traffic, and implant software exploits on target systems, according to leaked documents.

Released by WikiLeaks as part of its "Vault 7" set of CIA leaks, the documents outline the US government agency's "CherryBlossom" project to compromise wi-fi routers.

"CherryBlossom" requires CIA operatives to flash wi-fi routers with hacked firmware developed by the agency in order to take control of the device and establish a man-in-the-middle (MITM) position.

This may require physical access to the router and knowledge of the admin password, although the CIA noted that some brands allow firmware upgrades wirelessly.

After a successful reflashing of the router, it becomes controlled by the CIA as a "Flytrap", and communicates with a "CherryTree" command and control server which logs data and device status.

Operators have a web browser interface called "CherryWeb" to check on the compromised "FlyTrap" devices and receive missions such as deploying exploits on targets connected to the routers.

The list of wi-fi routers that the CIA developed hacked firmware for include devices from popular brands like 3Com, Accton, Cisco, Allied Telesyn, Apple, ASUStek, Belkin, D-Link, Linksys, Motorola, US Robotics, Z-Com, and more.

Multiple models of each brand are listed by the CIA as having compromised firmware.

The leaked document was first created in 2006 and last updated in 2012. It is not clear if the CIA has continued to produce hacked firmware for newer routers.

The documents do not reveal how often and how successfully the agency used the compromised firmware on wi-fi routers.

CIA worked with Stanford Research Institute International, a not-for-profit organisation, to develop and implement "CherryBlossom", the leaked documents state.