The latest tranche of confidential documents released by WikiLeaks has suggested that the United States’ Central Intelligence Agency (CIA), and MI5 have developed techniques which enable them to use Internet of Things-connected (IoT) devices, such as smart televisions, for surveillance purposes. This should serve as the starkest reminder yet to device manufacturers and their users that alarming security holes remain, which could have dire consequences if these techniques fall into the wrong hands; according to an app security product company, Promon.
According to the released data, the CIA has developed a programme known as Weeping Angel, which can attack a Samsung ‘smart television’ set. The target TV goes into a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room.
Tom Lysemose Hansen, founder and CTO at Promon, says: “Weeping Angel has provided yet another example of what hackers can do with IoT devices that do not have adequate security measures in place. If government agencies are using such methods for surveillance purposes, then it is sensible to assume that cybercriminals would use similar avenues to conduct their activities.
“This is by no means an isolated revelation. We demonstrated back in November that Tesla cars – and by association any other IoT-connected smart car – could be stolen if cybersecurity measures are not up to scratch. The IoT has almost limitless potential to enhance user experiences, but businesses should not blindly allow its continued proliferation if programmes such as Weeping Angel exist.”
Hansen believes that this latest WikiLeaks release proves that the need for watertight IoT security has reached a new level of importance. With both criminal and state-sponsored IoT hacking now taking place, there is a critical need for device manufacturers and programme and app developers to implement specialist software which is designed to guard against external threats.
He adds: “Self-defending software, such as RASP (runtime application self-protection) technology is an option which should be front of mind for decision-makers in IoT-focused businesses. Such solutions can guard the apps and sensitive information held in IoT devices, and can block even the most ingenious attempts to access a device. This works regardless of how inherently insecure a device is, by binding to the specific applications that are in greatest need of protection.
“Weeping Angel has proven that the IoT cybersecurity stakes are higher than ever before. The sooner organisations realise that the power to fight back against those with sinister intentions is in their hands, the better.”
Julian Assange, WikiLeaks editor warned of an ‘extreme proliferation risk’ in the development of cyber ‘weapons’.
Comment
Ilia Kolochenko, from web security firm, High-Tech Bridge, said: “I am bit surprised that this particular incident has attracted so much attention. The CIA, like any other governmental intelligence agency, uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country. This is their duty. So far, we don’t have any evidence that these capacities were used unlawfully, for example to violate reasonable expectation of privacy of innocent US citizens or for illicit interference with elections.
“It’s also at least incorrect to speak about the CIA’s inability to defend itself, as the source of the leak remains unknown. This can be an insider incident, against which – no large companies or governmental agencies are protected in any country. It can also be a honeypot – to distract someone’s attention from the real arsenal of the US cyber warfare. I am pretty confident that US intelligence have much bigger technical resources than the garbage exposed in the leak. Also, intelligence agencies cooperate in many areas, including cybersecurity and cyber warfare. Therefore, the CIA’s collaboration and knowledge sharing with other agencies, such as the MI5, is obvious and is a common practice.”
