CherryBlossom: How the CIA use it to spy and collect information

author Maximilian Holm, about Online Privacy

What is CherryBlossom?

Wikileaks has released a trove of information lately as a part of their Vault 7 leak. The latest leak released on June 15 outlines the terrifying potential of the CIA to compromise almost any commercial router in a project they call CherryBlossom.

CherryBlossom allows the CIA or any other actor to remotely infect a router with malicious firmware. The router then becomes what they call a FlyTrap, which acts as a beacon to a control server called CherryTree. Using a browser-based administration panel called CherryWeb, hackers can then send various missions for the FlyTrap to perform.

cherry blossom

“Most routers and WiFi access points are neglected so much by users that they are rarely ever patched and updated. In a large number of cases, the default login credentials are never changed. These facts alone make these devices quite vulnerable to attack.” - Chris Hinkley, lead ethical hacker of Armor.

These missions can be anything from scanning for email addresses, usernames, MAC addresses, VoIP numbers, copying the full network traffic of one or more targets, redirecting browser requests using man-in-the-middle attacks, or proxying network connections. FlyTrap can additionally set up a VPN through which the operator CherryBlossom can gain access to all of the clients on the FlyTrap's WLAN/LAN.

Using CherryWeb, the CIA can start a mission that copies the network traffic of one or more targets on a network, and sends it directly back to the server. In addition, CherryTree can be used to track a target in real-time or receive an alert whenever they connect to the FlyTrap or trigger any predefined event.

How can I protect myself?

Since the leaked documents appear to be from 2016 at the latest, it is unclear exactly which devices are vulnerable. However, we strongly recommend either upgrading the firmware of your router to the latest version or flashing it with an open source version such as OpenWRT, DD-WRT, Asus Merlin, Tomato or other open source firmware. If possible, we strongly recommend using pfSense or our own OVPNbox, neither of which has shown to be vulnerable. The OVPNbox uses our own firmware, with an easy-to-use interface on top of our top-of-the-line security, such as the ability to simultaneously run up to four different VPN connections for greater customization of your home network.

In addition to upgrading your firmware, we strongly advise to change the administrative password on your router from the default password, and avoid connecting to unprotected public networks without a VPN tunnel. OVPN encrypts all of your traffic, which prevents people from intercepting or hijacking your data traffic. The OVPN client also offers DNScrypt to prevent man-in-the-middle attacks, as well as a kill switch to block all Internet traffic in the event you were unexpectedly disconnected from our servers. This greatly increases your privacy and security especially when using public WiFi hotspots.

What happens next?

If CherryBlossom were ever to be released to the masses or replicated by any other means, it could have devastating effects -- not only for private citizens connecting through public wifi hotspots, but also various businesses. Similar tools developed by various agencies in the past have caused great harm and have been used in creative ways — most recently through WannaCry which we wrote about before.

There are, of course, some differences, but CherryBlossom is still a frightening threat. For example, a person could set up a FlyTrap in a popular public hotspot and use it to redirect users to fake websites with the intent of stealing bank accounts or payment information, gathering details about them, or even stealing their data and personal information directly off of their devices to sell to third parties, or use it for blackmail. In addition, CherryBlossom could potentially be used to quickly spread malware or create huge botnets, or be modified in a myriad of other ways to better serve the purposes of the hacker.

Maximilian Holm