A new set of CIA documents exposed by Wikileaks describe a firmware called CherryBlossom which can be installed on network routers and compromise the traffic. Wikileaks claims that CherryBlossom is co-developed by SRI International. Affected brands include Apple, Cisco, D-Link, Asus, etc.
Routers are important, yet ignored, a piece of our networks. Mostly, they are given a place in a corner of the house or under a table and left to get layered with dust while they power the internet in our homes.

Our ignorance to the router makes them vulnerable as we aren’t concerned about their security. In fact, most of the routers don’t get patched for security flaws for years, opposite to regular devices like computers and smartphones.

Yesterday, another set of tools and documents related to CIA were released by Wikileaks. Known as CherryBlossom, Wikileaks claims that the project is a collaborative effort between CIA and SRI International. It can be used to monitor network traffic and exploits software vulnerabilities on devices including wireless routers and access points which are a common sight in our homes and other places.


Such devices can easily serve as the platform for MITM attacks. Any infected router or AP can be used to push malicious content to the user’s device and exploit the bugs and loopholes in the device and the OS.

According to the leaked documents, it’s possible to replace a wireless router or access point’s firmware with the CherryBlossom firmware. The process becomes even easier for the devices supporting over the air upgrades. For devices which don’t allow wireless upgrades, “Wireless Upgrade Packages” are created. Also, there are measures to bypass the administrator password on the devices.

Other methods include installing the firmware using a tool called Claymore which be run on a laptop. It can know a device’s make and model and find which wireless routers can be hacked. Also, the malicious firmware can be installed during the “supply chain operation,” the leaked documents say.

A compromised device is then known as FlyTrap and connects to a command & control center dubbed as CherryTree.

A FlyTrap can send data to the CherryTree containing device status and security information which is logged into the C&C’s database. CherryTree issues further command to perform tasks based on the information.


An operator can access a compromised device over a web interface called Cherryweb and view information about the device. A Flytrap can be instructed to scan a Targets such as email addresses, chat user names, MAC addresses and VoIP numbers in the network traffic passing through it. This can be used to initiate further actions

According to the leaked documents, this data can be used to initiate further actions for a Target such as “copying of a Target’s network traffic” to the C&C server, “redirection of a Target’s browser (e.g. to Windex for browser exploitation), and “proxying a Target’s network connections.”

The leaked document further says that a FlyTrap can be further instructed to perform “global actions” such as copying all network traffic, proxying all network connections, and even set up VPN tunnel from the Flytrap’s network to a VPN server owned by CherryBlossom, thus, the operators improved access the network.

Is your router safe?

The leaked documents also include an extensive list of devices which can compromise using CherryBlossom. The list includes various brands like Apple, Cisco, Belkin, Asus, D-Link, Linksys, etc.

CherryBlossom follows the release of other CIA-related documents including Pandemic, Athena, AfterMidnight, Archimedes, etc. which are a part of their Wikileaks’ Vault 7 series.