Is the CIA's Weeping Angel spying on TV viewers?

Is your TV on the blink?

Weeping angel

Yesterday, WikiLeaks published thousands of pages of what appeared to be leaked internal CIA documents.

The haul, which WikiLeaks has somewhat pretentiously dubbed "Vault 7", is claimed to be "the largest ever publication of confidential documents on the agency."

The first 8,761 documents released by WikiLeaks appear to be fairly recent, and have been dubbed "Year zero" (again, for reasons perhaps best known to Julian Assange).

Some of the juicier titbits contained within the documents are already making plenty of headlines.

Unfortunately, some of the reporting has been sloppy.

Take, for instance, WikiLeaks's claim that the CIA can use zero-day vulnerabilities to "bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman". This sloppy language led some journalists to report that the CIA had found a vulnerability in the secure chat apps that allowed them to snoop on "secure" messages.

But that's not true.

Instead, it appears that WikiLeaks is merely referring to the CIA's ability to infect smartphones with spyware that can record conversations and keystrokes. No-one wants to be snooped on in that way, of course, but it's a very different prospect from secure apps like Signal being found to contain a fundamental weakness.

If an unauthorised party has physical access to your computer or mobile device then all bets are off. Of course they could install spyware onto it.

The report resulted in Whisper Systems, the brains behind the Signal encrypted messaging app, putting the record straight:

Indeed you could argue that apps like Signal are doing a great job at securing their end-to-end encrypted communications if authorities have to go so far as intentionally meddling with one of the devices to discover what is being communicated.

You may also hear news reports of the CIA turning smart TVs into insidious spying device, keeping a crafty eye and ear on viewers, following the following assessment made by WikiLeaks in its press release:

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984, but "Weeping Angel", developed by the CIA's Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS. After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode, so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

Again, there's some need for a fact check here.

Usb stick"Weeping Angel", named after a terrifying Doctor Who monster that you really shouldn't blink at, is installed via a USB stick.

If you're worried about the prospect of an intelligence agency breaking into your home in order to plug a malicious USB stick into the back of your Samsung Smart TV then I'd argue you probably should also be worrying that intelligence agencies are breaking into your house full stop.

After all, who knows where else they could be installing surveillance devices?

Now if there was any evidence that the Weeping Angel surveillance module could be installed onto smart TVs remotely without having to creep around someone's house, or that TVs were being meddled with in the supply chain before arriving in households, then, well, maybe that would be more alarming.

Over the coming days there will no doubt be much more to dig out from WikiLeaks' CIA files leak. In the meantime, here are some interesting articles to keep you occupied:

One final thing.

WikiLeaks claims that the CIA has been "hoarding" serious zero-day vulnerabilities and exploits that allow it to break into and spy upon technology from the likes of Apple, Google, Microsoft and other manufacturers.

WikiLeaks then correctly says that not sharing details of the vulnerabilities with vendors and manufacturers is a bad thing - because it prevents the right people from patching the vulnerabilties and making us all stronger. And, more than that, while left unpatched there is nothing to stop intelligence agencies in other countries to exploit the same security holes for their own spying activities.

I agree with that. I believe if a vulnerability is found it should be responsibly disclosed to the vendor or manufacturer so a proper fix can be put in place - to the benefit of all users around the world.

WikiLeaks so far has held back, not publicly releasing the alleged CIA hacking tools and exploit code. I hope they choose not to make them public as I doubt any good will come of it. Instead, Wikieaks should share the information they acquired with the vendors who are best placed to fix the security holes.

Anything less than that is simply making things worse for all of us.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

5 Responses

  1. Mark Jacobs

    March 8, 2017 at 1:00 pm #

    If they do release the hacking code and exploits, that may be a good thing for us security professionals – bags more work! ;-)

  2. drsolly

    March 8, 2017 at 3:52 pm #

    You're short of work?

  3. Jon

    March 9, 2017 at 8:54 am #

    This story made me wonder–aren't microphones and speakers pretty much the same, just with the signal going opposite ways, and therefore if you could hack into any TV with an internet connection (and USB port), couldn't you theoretically make it do the same using the speakers instead?

    I'm sure if it were possible this would have come up before someone thought it was a good idea to add microphones, though.

  4. Bo Ek

    March 10, 2017 at 12:58 pm #

    You don't need an USB stick to install "Weeping Angel"!!!! Get you facts right before you start criticizing some one else to be sloppy with facts!

    All you need to do to install "weeping angel" is to hack the TV, which can be done easily depending on how well the security is setup at that specific home, what services that are running on it and how sloppy the home user is with IT-security over all (no firewalls, default passwords, admin access to all users etc…).

    When you "are in" all you need to do is to remotely mount an ISO file (or download) with Weeping Angels on it and are then ready to go. No need for physical break in at all.

    • Graham Cluley in reply to Bo Ek.

      March 10, 2017 at 1:12 pm #

      Hi Bo

      My reading of the leaked file ( https://wikileaks.org/ciav7p1/cms/page_12353643.html ) was that the "current" method they had for installation was via USB, and that a Samsung firmware update had already prevented that vector.

      I haven't seen any claims in the documents that researchers had managed to install the code remotely.

Leave a Reply