CherryBlossom – Spring, Japan, drifts of fragrant clouds come to mind. But here, there’s the CIA. Wikileaks are known for their subversive public service of releasing hacked government files containing information which, they feel, the public has a right to know. They have been steadily releasing astounding documents, including those from the CIA’s ‘Vault7’ documents.
CherryBlossom is another such. On June the 15th, Wikileaks released the CherryBlossom files. These documents provide a complete guide to how to use the product, from system requirements, to a 175 page quick start guide, installation guide, various WiFi devices, and diagrams and models as to how to operate it.
CherryBlossom is a monitoring framework devised by the CIA with their friends at the Stanford Research Institute (SRI), as part of a project called Cherry Bomb. It is so named because its victim devices can be seen as little blossoms on the ends of boughs, on branches of the home CherryTree. So what is it for?
CherryBlossom is a type of firmware. For the layperson, firmware is the type of software which is used to programme devices, as opposed to applications software like word-processors or spreadsheets, which are used to store and manipulate any input. Firmware can be anything from BIOS to make your computer get up and go, to the operating software which enables your washing machine to run various washing cycles.
So if CherryBlossom is firmware, which devices is it instructing, and to what end? Well, the CIA is casting random flies for trout again. What they do is infiltrate the wireless devices in the environment (this can be at your office, in a public space like an airport, or even the router in your home, sweet home), because – God Bless America! – they might just pick up something compromising.
As we’re all aware, intelligent devices require frequent updates – think of your cell phone – and we are so accustomed to them gathering these when we’re attached to a WiFi connection, that we seldom think to check what is entering our digital door. Of course, your device may try to block CherryBlossom, but, as point 5.1 (S) of the CherryBlossom Quick Start Guide instructs, using the devices firmware upgrade webpage, the need for required administrator passwords, can be bypassed with Tomato or Surfside. The guide is nothing if not practical. Otherwise, you can use wireless upgrade packages, pusch your way in with Claymore, or use a LAN link to ‘upgrade’ devices in a supply chain operation.
Right! Now we’re in. Once the firmware has been compromised, the device (now styled a ‘Flytrap’) sends a beacon signal including security information and device status to the CherryTree, which adds it to a database. The CherryTree is the central commanding operations post for this activity. It can be remotely accessed via a CherryWeb remote terminal by authorised parties.
The CherryTree then allocates a ‘Mission’ to the Flytrap device, according to the type of information the Tree wishes to harvest. This can include email contacts, online account user names and VoIP numbers; redirecting traffic to unsavoury websites; using your device to deliver malware to connected devices; recording your network traffic, and even establishing VPNs to better establish connections with your contacts.
And the scary part? The CIA has been spying on networks using CherryTree since 2007. That’s ten years of lost privacy.