The CIA Has Been Hacking Routers – What to Do

Ray Walsh

Ray Walsh

June 19, 2017

Your router is your link to the internet. No matter how many devices you have in your home – or business – all the data coming and going from them must pass through that router. Sadly, routers have long been known to be vulnerable to hackers.

Now, a new leak from the famous whistleblower organization Wikileaks has revealed that the CIA has been making use of router vulnerabilities for years. The new Vault 7 documents shed light on the US intelligence agency’s ability to use malware to turn commercial routers against their owners.

Within the leaked files a number of exploits are named, which allow the CIA to easily access all of the information passing through a router, completely unbeknownst to its owner.

Router Hacking Toolkit

According to the Wikileaks release, the CIA has been using a whole arsenal of router hacking tools. Among them are exploits called Claymore, Surfside, and Tomato. The leak explains that the CIA tools exploit vulnerabilities contained within the firmware of popular, ageing Linksys and D-Link routers.

The problem for most people is that their router is usually issued by their Internet Service Provider (ISP). After they are installed, those routers often sit in the corner gathering dust for years, failing to be updated with important firmware upgrades. As time passes, the failure to update the router creates critical vulnerabilities that allow hackers – on this occasion the CIA – to make use of them.

Full Access

The documents released by Wikileaks reveal that the CIA leverages those vulnerabilities in order to hack people’s network passwords and remotely monitor the traffic that flows in and out of their targets’ networks.

At times, the CIA even delivers new firmware (called FireTrap) onto the victim’s router, allowing CIA operatives to enact even more influence over it. This gives the spy agency unprecedented levels of surveillance over the machines and devices on the network. 

Weak Link

Having direct control over a router is really useful, which is why many consumers choose to have a router with firmware that they can manipulate. Sadly, the vast majority of internet users have no control over the stock firmware that their cheap ISP-issued router comes with. Matthew Hickey, founder and security researcher at the firm Hacker House, explains the problem with those types of routers:

“There’s no sign to tell you whether your router is hacked or not—you’re just on the internet as normal. The only thing is that everything you’re doing on the internet is going through the CIA.”

Despite the important role that a router has in allowing people to connect to the internet, most routers aren’t designed to be easily up-gradable. Ignorance about the need to upgrade a router – and the difficulty required in doing so – means that most routers simply sit in the corner of the room. Unfortunately, this weakness has given the CIA an easy entry point that grants them access to vast amounts of private data.

Attack Vector

According to the documents released by Wikileaks, the attack begins with a hacking tool called Claymore. That tool scans networks attached to the internet, looking for routers. Once it discovers a vulnerable router, it dispatches malware onto the router, thus beginning the infection process. From there, the CIA uses the Surfside and Tomato exploits (not to be confused with commercial Tomato firmware for routers) in order to steal administrative passwords.

It is unknown exactly how those exploits work. However, the leaked documents suggest that they may make use of a protocol called Universal Plug and Play (UPnP), which has long been known to have three weaknesses that make it susceptible to cyberattacks. That protocol allows devices to quickly be detected when they appear on a network. Sadly, it may also have been creating a backdoor for the CIA.

Once inside people’s routers, the CIA controlled its hacking tools from a control center, using a tool called CherryTree. CherryTree allows CIA operatives to monitor and deliver malware updates to the victimized network via an interface called CherryWeb.

Stock Firmware Vs. Custom Firmware

For people who want to protect their home’s devices, a router firmware update is a good idea. With a flashed router (a router with an updated firmware) consumers can gain the ability to exert all manner of control over their router. This includes directly installing a Virtual Private Network (VPN) onto the router.

The most common forms of non-stock router firmware are called DD-WRT and Tomato (not to be confused with the CIA’s exploit of the same name). Joe Soria, Chief Operating Officer and Co-Founder of FlashRouters (a firm that sells fully upgradable, pre-flashed routers with VPNs installed on them) explains the difference between Tomato firmware and the newly disclosed CIA exploit:

“The naming of Tomato a CIA exploit is nothing more than coincidental. The router exploit and the firmware have nothing to do with each other.”

Protect Yourself

For people who want to ensure that their data is secure from government surveillance, a VPN is vital tool. A VPN encrypts all the data coming and going from a machine so that it is safely scrambled and inaccessible to anybody. In fact, because using a VPN on individual devices scrambles the data before it travels through a routera VPN is a valid solution to these CIA exploits.

An insecure router is a massive concern, as Joe Soria of FlashRouters explains:

“Users should be aware that if they are looking for the most up to date firmware, the original firmware named Tomato is actually no longer actively updated or developed but popular variations or forks such as TomatoUSB are fully active and community supported/tested.

“Exploits like this highlight the importance of alternative firmware options like DD-WRT and TomatoUSB for users’ router hardware to remove buggy and security hole laden default firmware. It seems every other day a major exploit is announced for these devices but replacing the firmware locks down the router and making it infinitely more powerful and adding business-level security options for any user to take advantage of.

“Seeing all the focus on penetrating routers shows just how important it is to get a locked down device with advanced features to enhance your network privacy and prevent intrusion.”

Update Your Router

If you can’t afford to buy a new router with better firmware, the option does exist to update the one you already have. Although it isn’t a walk in the park, it isn’t actually that hard either. Bear in mind that each router brand may have a slightly different process. As such, it will be necessary to do a bit of research about your specific router.

Due to the fact that Linksys routers are some of those that have been exploited by the CIA, I have included a guide on how to update those specific routers as an example:

  1. Navigate to and enter your router’s model number.
  2. Click on Downloads and select the particular version of the hardware that you have.
  3. Now click Download. Agree to the terms of service in order to save the file onto your machine.
  4. Now access your Linksys Smart WiFi Account (look here if you don’t know how).  
  5. Click Connectivity, then Router Firmware Update, then Choose File, and follow the instructions from there to install the update that you downloaded.

With any luck, your updated router will be much more difficult for the CIA to target. However, for those who want to make sure their data is secure, a VPN remains the best option.

Get a VPN service today

A VPN is the best personal cybersecurity product on the market

Unblock any website with a VPN today

Title image credit: Nmaneer/

Image credits: ImageCatalog/

Exclusive Offer
Get NordVPN for only