Security experts say ‘Vault 7’ leak describes common, public hacks

Posted at 10:26 AM, Mar 10, 2017
and last updated 2017-03-10 10:26:44-05

The CIA allegedly created tools to spy on people through smart TVs and other household technologies, according to documents released by WikiLeaks. But security researchers say the methods imitate exploits that were discovered — and made public — years ago.

The leaked documents that Wikileaks claims are from the CIA, dubbed “Vault 7,” contain notes about how the agency allegedly targeted individuals through malware and physical hacking on devices including phones, computers and TVs. Federal officials are investigating the leak.

The documents describe “Weeping Angel.” That project, according to the documents’ claims, centered on malware that could allow the CIA to listen to targets through Samsung smart TVs, even while the TV was in a “fake off” mode. Documents suggest the exploit required physical access to the TV to insert the malware.

Samsung warned users about exactly this type of susceptibility in 2015. The company told CNNTech this week that it is “urgently looking into the matter.”

But Smart TVs are notorious for potential security issues. In 2013, CNN reported a flaw in Samsung TVs could let a hacker remotely turn on the TV’s camera without alerting the user.

Dan Tentler, founder and CEO of the Phobos Group security firm, recognized the tech described as “Weeping Angel” when he reviewed the Wikileaks documents. That appears to be the same exploit he witnessed in action onstage at a security conference in 2013, he said.

At the Breakpoint security conference that year, researcher SeungJin Lee hacked a smart TV, and demonstrated a “fake off” mode, like the one described in the CIA leaks: the TV appears to be turned off, but in fact the power is still running to allow surveillance tactics.

Lee tweeted about the hack referenced in the WikiLeaks documents: “Nice, CIA. I hope you didn’t send your TVs to A/S center during the Smart TV spying mode development. If you used my code, pay me Bitcoin!”

“Weeping Angel” may not have proven useful for gleaning that much information, said security expert Kelly Shortridge. The claims appear to say the agency doesn’t yet have the ability to capture video, she said — and if physical access is required, this type of surveillance can’t be conducted on a large scale.

“They mention concern over removal [of their access] when the [TV’s software] is updated,” Shortridge told CNNTech. “Additionally, the [low] maximum storage size, combined with Wi-Fi not being available in the ‘fake off’ mode, likely makes constant collection prohibitive.”

Tentler, the Phobos Group founder, told CNNTech it’s understandable the CIA’s alleged exploits would be similar to what’s been around for years: “It makes sense to take what’s public already, and build on top of that.”

Beyond TVs, the documents also claim the CIA studied and possibly used code from Hacking Team — a prominent spyware firm — on other devices as well. However, as the security publication Cyberscoop reports, much of that malware would be easily detected by antivirus software on your phone or computer.

The claims about “Weeping Angel” underscore the insecurity of the internet of things.

Companies continue to release gadgets, toys and appliances that connect to the internet with gaping security holes that allow attackers to control systems or collect personal data. Last year, researchers discovered a security vulnerability in “smart” toy teddy bears that could divulge information — including names, birthdays, gender and voice recordings — to the public.

After spending hours poring over the WikiLeaks documents, Tentler said if the claims are true, it’s clear CIA hackers are just like any others — they use tools already available.

“The stuff in the CIA leak mostly comes from public research,” Tentler said. “These people go to conferences, they read papers, and they follow the work of the information security community.”