CIA Has Been Hacking Your Wi-Fi for Years: Wikileaks

The Central Intelligence Agency based in the US can monitor and manipulate incoming and outgoing traffic on your Wi-Fi router.

In fact, devices from some 10 manufacturers are at risk including those from Linksys, D-link to name a few.

This was revealed in a set of leaked documents on WikiLeaks last week.

Read More: US and UK Have Data from NADRA : Wikileaks


CIA’s firmware that infects your router is called “CherryBlossom” and is especially effective on D-link DIR-130 and Linksys WRT300N. This is because these two routers can be infected even if they have a strong admin password on them.

Another exploit called Tomato can extract the passwords from these routers if they are using a feature called universal plug and play. Most of the routers usually have an easy to guess or a default password that is never changed.

According to the documents CherryBlossom can affect 25 router models with slight modifications allowing it to cover over a 100 devices.

Full User Manual for CherryBlossom

The documents also included a 175 page user manual for Cherry Blossom, detailing how it infects and manipulates routers. CherryBlossom turns your router into a FlyTrap that communicates with a CIA controlled server called CherryTree. It sends a beacon to the CherryTree which contains information such as device status and security details.

How it Works

CherryTree then sends back a set of instructions or “Mission” with specific tasks for CherryBlossom, tailored to an individual user. The Missions can target users based on their IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers.

Missions include tasks such as copying traffic, copying e-mail addresses, chat user names, and VoIP numbers, setting up a VPN which allows access to the LAN network and proxying all network connections.

Fully Encrypted

The communications between the CherryTree and the FlyTrap are fully encrypted and cryptographically authenticated, with the exception of the copied network data. The encrypted data is disguised as a cookie in an HTTP GET request for an image file. CherryTree then sends a corresponding binary image file.

This is quite similar to other router malware like DNSChanger which affect thousands of routers across the world. However CIA’s version has a number of additional features and extensive mission tasks which set it apart from other malware.

2007 Called, They Want Their Malware Back

Another important thing to note here is that the leaked documents which mentioned CherryBlossom date back to 2007. Hacking routers wasn’t as prevalent as it is nowadays.

When asked about the latest Wikileaks documents, CIA officials have neither confirmed nor denied the authenticity of the leak. The large scale of the leak and the unique details mentioned in the documents has led many researchers to believe that the leak is indeed authentic.

A techie, Overwatch and Street Fighter enthusiast, and Editor at ProPakistani.

  • Ltd feature videos

    Watch more at LTD