CIA Leaks Unsurprisingly Show The Internet Of Broken Things Is A Spy's Best Friend

So if you've spent any amount of time around here, you probably already know that the security and privacy standards surrounding the internet of (broken) things sit somewhere between high comedy and dogshit. Whether it's your refrigerator leaking your gmail credentials or your children's toys leaking kids' conversations, putting a microphone and camera on everything that isn't nailed down -- then connecting those devices to the internet without thinking about security and privacy -- hasn't been quite the revolution we were promised.

Obviously for the NSA and CIA, the internet of broken things is a field day, and the fact that the intelligence community would exploit this paper-mache grade security should surprise nobody. In fact, James Clapper made it abundantly clear last year that the internet of not-so-smart things was a massive target for surveillance:

"In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper said."

As Mike already noted, most of what's contained in this week's Wikileaks Vault 7 CIA Document Dump isn't all that surprising. It includes stockpiled Android and iOS vulnerabilities, revelations that the US government covertly pays to keep US software unsafe and vulnerable (long suspected, now proven), and the fact that the government routinely exploits weak security in the Internet of Things to spy on targets. That includes turning Samsung "smart" televisions, long in the news for poor security and privacy violations, as an on-demand spying apparatus.

The documents highlight a CIA program named "Weeping Angel," which allows a CIA hacker to use the Samsung smart TV's microphone to listen in on a target, while the television appears to be off (aka a "fake off mode"). The documents only detail one TV model (the Samsung F8000), and seem to indicate that at least this particular exploit required someone to use an infected USB drive on the television in question:

Given the all-too-frequent lack of encryption (or hey, much security at all when it comes to collecting and transmitting data), it's still reasonable to surmise that a remote attack is perfectly possible on a laundry list of IoT devices, including televisions. Also, as the Intercept notes, given the problems we've repeatedly documented with smart televisions, it would be naive to think other sets aren't impacted:

"Security and cryptography researcher Kenneth White told The Intercept that smart TVs are “historically a pretty easy target” and “a pretty great attack platform,” given that TVs are typically located in a living room or bedroom.” White added that “there is zero chance the [CIA has] only targeted Samsung. It’s just too easy to mod other embedded OSes” found in the smart TVs sold by every other manufacturer."

Again, not particularly surprising for a tech segment repeatedly facing lawsuits for failing to disclose that TVs collect user data, or scandals involving sending this collected data unencrypted over the internet. In 2015, Samsung was forced to issue a lengthy mea culpa after users actually bothered to read the company's privacy policy, revealing that user TVs were watching them watching it. Samsung assured users the company takes "consumer privacy very seriously and our products are designed with privacy in mind," a FAQ also reassuring users that if there's no notification, your TV isn't listening:

How do I know it’s listening or not?

If the TV’s voice recognition feature is turned on for a command, an icon of a microphone will appear on the screen.

If no icon appears on the screen, the voice recognition feature is off."

Apparently not. Again, this might be less of a threat if TV vendors actually took user privacy seriously, utilized system settings that made device functionality transparent, or made it easy to disable functionality of dubious value on demand. But like the rest of the Internet of Things industry, companies were so hyped to use connectivity to hoover up private user data non-transparently, their ethical apathy left the door wide open to intruders (state sponsored or otherwise).

But hey, know that the intelligence community doesn't think you should be worried. Ex-CIA Director Gen. Michael Hayden went on The Late Show with Steven Colbert to insist that the CIA certainly doesn't use smart TVs to spy on people (something he called a "wonderful capability"), and certainly not to spy on American citizens:

Feel better?

Permalink | Comments | Email This Story