Vault 7: details of tools for hacking routers dumped

The CIA programme was called Cherry Blossom and it developed firmware that could be implanted in wireless networking devices, including access points and routers.

One of the manuals says: "An implanted device can then be used to monitor the Internet activity of, and deliver software exploits to, targets of interest. It should be
noted, however, that the CBlossom architecture does not limit itself to wireless devices – in general, wired network devices could be implanted/compromised in the same fashion to achieve the same goals."

The documents released date back to 2012.

{loadposition sam08}Four ways of getting the implants onto routers are outlined. One is to use the firmware upgrade Web page over a wireless link, a this technique that does not need physical access but generally needs an administrator password.

The second method is to use a wireless upgrade package as some devices do not allow firmware upgrades over wireless links.

A third means is to use what the CIA calls a Claymore Tool, a survey, collection, and implant tool for wireless (802.11/WiFi) devices that first tries to determine device makes/models/versions in a region of interest. The collection function isn used to capture wireless traffic. The implant function can perform wireless firmware upgrades and incorporates the exploitation tools.

Finally, the the firmware upgrade Web page over a wireless link, a technique that is described as being likely to be used in a supply chain operation. Presumably, this means the implant was done with the co-operation of the manufacturer.

The documents show firmware was created for a long list of networking devices. The manufacturers include Aironet/Cisco, Allied Telesyn, 3Com, Accton, AMIT, Asustek, Belkin, Breezecom, Cameo, D-Link, Gemtek, Global Sun, Linksys, Motorola, Orinoco, Planet Tec, Senao, US Robotics and Z-Com.

It is unclear as to whether the programme is still running today.