How to destroy angels

An Internet of Things security researcher and exploit developer's professional analysis of the progress made by the CIA in the context of the Weeping Angels smart television research project.

cia cyber
Credit: Dado Ruvic, Reuters

Yes, yes, we’ve all heard the news: the CIA may be able to interfere with the security of your smart television. Welcome to 2013! And yet, in 2013 when the documents from the Wikileaks CIA Vault 7 Weeping Angels files were written, they were apparently preliminary research findings at best. Regardless, news agencies are eagerly spreading the perception that these were not research projects developed behind an eerie umbrage flickering upon reinforced Langley walls, but fully loaded and verified weapons to be arbitrarily pointed at targets across the globe.

They’re only partly correct.

According to the contents of the purported CIA Vault #7, the agency has been pursuing remote access to consumer endpoints such as smart televisions, vehicle control systems, and routers since at least 2013, if not earlier. While expected by veteran Internet of Things (IoT) researchers like this author, many readers were nonplussed and even outraged by this information. Though drowning in hyperbole is easy in this modern age of the un-fact, tempering fear with practicality is, as always, an imperative.

The press is widely claiming (or mirroring, rather) that the CIA is capable of remotely hacking into Samsung TVs. While this may be true, there is currently no evidence of this in the first Vault 7 release. The only infection method mentioned in the released material is via Universal Serial Bus (USB), a vector that we all know requires physical access to abuse. Though the dumped archive itself implies a tight relationship between the embedded systems team and the remote exploitation team, it is still unknown whether these teams were able to create a remote access point into Samsung televisions. Granted, the last update for this research project seems to have been sometime in 2014.

Interestingly enough, when this work began, there were at least two public research projects on hacking smart televisions. One, at Black Hat Briefings 2013 by the brilliant Aaron Grattafiori, a friend and prior colleague of the author. Another, by Luigi Auriemma, was released at the famed PH-Days conference in 2014. The research into this area of interest was preliminary throughout 2013 and into 2014, with only a small niche subset of researchers interested in the space.

However, at least one important security flaw was known regarding the Samsung television. Aaron and his research partner, Josh Yavor, uncovered a remotely exploitable bug that allowed third parties to remotely take control of the Samsung smart television’s web camera. Though the issue was patched due to Aaron and Josh’s efforts, it was clear that this was a ripe attack surface, further demonstrated by the value in Luigi’s talk a year later.

And yet, there is a glaring difference between remote control of a particular hardware device and covert subversion of an entire embedded system. The CIA’s number one goal is stealth, as it is a requirement to successfully execute an operation from beginning to end. Thus, remote abuse of an endpoint is less valuable than remotely exploiting and gaining full administrative control of an endpoint device, control that helps guarantee that arbitrary third parties can’t interrupt the operation either intentionally or unintentionally, by exploiting the same security flaws. Given the almost academic nature of the Weeping Angel material, it seems that they were merely in the research and development phase of the project, and had little if any ability to ensure long term control of the television.

This is an imperative point of discussion, which is made clear by the fact that only older firmware versions were tested and verified according to the Weeping Angel notes. Yet, newer versions were verified to corrupt the CIA test implants. This is clearly not a production-ready product within the given timeline. It seems that at the time of writing, Weeping Angel was a beta product at best for use in emergency scenarios, if that, and certainly not for widespread use.

One cannot forget the mission statement of the CIA within this context. CIA spokeswoman Heather Fritz Horniak said on Wednesday, "It is CIA's job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.” Research and development, then, is a key ingredient in the defense of America. That doesn’t mean that every exploit is active, or even used. It simply means it is a technology being investigated. Given the interest in smart televisions during this time period, it would have been foolish for the CIA to ignore smart television security.

And yet, we must temper our rational sighs of relief with a pragmatic eye. Research transitions to weaponry over time, and it is indeed the intent of this kind of offense-focused research. While I put faith in our intelligence community to use this technology wisely, sparingly, and cordoned off to a limited team of professionals, it is painfully clear that there are entities within the CIA, or within organizations close to the CIA, that wish to do America harm. Who these entities are and what their agenda is almost doesn’t matter, at least, not to me.

Whether they exfiltrate information to Wikileaks, Russia, or to other American researchers doesn’t matter. Whether their intent is to harm, or to unintentionally “share warez” like the hacker scene of the '90s, what matters is that there are checks and balances that are clearly and easily bypassable. This is indeed unacceptable. Now more than ever, intelligence agencies must enforce more stringent controls around the technologies they use for legitimate operations, lest their work becomes someone else’s play toy.

The most important lesson of this leak, however, is for device manufacturers and regulatory bodies. This is a clear call for responsible engineering! If a manufacturer cannot ensure the consistency, reliability, and security of their devices, it is guaranteed that they will not be your devices for long (neither the manufacturer’s device, nor the consumer’s). The cascading effect on consumers, our national infrastructure, and the internet as a whole is unacceptable fallout from corners cut from an IoT endpoint’s conception to its production deployment. Securing IoT endpoints from inception is the only way to destroy angels.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?