Skip to Content
Security & privacy

CIA accused of hacking Wi-Fi routers for at least a decade

Your home router isn’t just a way to connect your gadgets to the internet. It’s a vital part of your security setup and of keeping hackers off your network. That’s why router security flaws are such a big deal. A router with a weakness leaves your computer and other gadgets open to invasion from the internet.

This is why the latest leaked documents from Wikileaks is troubling. The leaks were said to reveal the activities of the CIA’s elite hacking team known as the “Engineering Development Group.”

The files include manuals, installation guides, maps and charts, which detail how the agency performs its router exploits and hacks.

One of the documents pertains to a tool called “Cherry Blossom,” which claims that the CIA has been hacking Wi-Fi routers and using them to monitor the target’s internet activity or as secret spying stations for at least a decade.

The 175-page document describes the Cherry Blossom (CB) system as a “means of monitoring the internet activity and performing software exploits on targets of interest” by focusing on “compromising wireless routers and access points.”

According to the document, the CB firmware can be implanted in “roughly 25 different devices from 10 different manufacturers. The affected home routers are from various manufacturers, including popular models from Asus, Linksys, Netgear, D-Link, and Belkin.”

Note: Can’t view the images? Click here to read the article on the Komando website.

Device support also requires that the CB implant can be built into the router’s original firmware. The implant can then be installed remotely by using administrator password exploits, including a technique called “Tomato” where certain Linksys and D-Link models’ passwords can be extracted if the Universal Plug-and-Play (UPnP) feature is turned on.

“In general, once a make, model, and hardware version of a device is supported, it is straightforward to implant any later firmware versions, or international firmware versions, so long as the device has not changed its underlying hardware or operating system,” the document likewise revealed.

Once the CB firmware is installed, the router can then be converted into what the document refers to as a “Flytrap,” a device that can send data (called beacons) and receive commands (called missions) from a command-and-c0ntrol server dubbed as a “CherryTree.” Communication with its operators is accomplished with a web user interface named “CherryWeb.”

Missions include harvesting of email, chat usernames, MAC addresses and VOIP addresses, copying of target’s network traffic and browser redirection.


The CherryBlossom documents are dated to be from 2007 so the techniques may have been in use for at least a decade now but it is not clear if the CB firmware is still effective or in use today.

Additionally, the CIA has not commented nor has it confirmed the authenticity of the documents.

However, now that the CherryBlossom exploit is out in public, cybercriminals may now be able to employ the techniques and adopt them for their own uses.

What you can do

There are a few defenses against these firmware-level router exploits, but there are a few vital things you should always be doing with your router anyway.

As we always say, check for your router’s latest firmware update then install it. Updating your router’s firmware is not as hard as it sounds. The procedure depends on your router, but you typically access an administrator page via a browser. Simply type the router’s default IP address of your particular router in your browser’s address bar.

Common IP addresses for popular routers are for Linksys and D-Link, for Netgear, or for Belkin. Should none of these addresses work for you, a free app can help.

Once you’re on the router’s administrator page in a browser, you will have to enter a username and password to log in. Remember when I said that passwords were readily available online? Click here for the link you need to find just about any router’s username and password.

Once logged in, find an area called “Advanced” or “Management” to check for firmware updates. Usually, you will have the option to check, review, download, and install your router’s new firmware on the same page.

For that added peace of mind, you’ll also want to make sure you’ve changed the default router password. Every hacker in the world knows the default passwords, so you need to create one of your own that’s strong.

More from

Warning of new malware attacks against power grids

Warning! Hackers are selling access to your calls, texts and location on the Dark Web

Phishing scam steals your login using your smartphone

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started