Samsung smart TV

The CIA has developed a hacking tool named Weeping Angel that can turn Samsung smart TVs into covert listening devices.

This information came to the public's attention after WikiLeaks dumped today a treasure trove of documents, codenamed Vault 7, which the organization claims were taken from a "high-security network situated inside the CIA's Center for Cyber Intelligence."

The first part of the leak included only documentation files for hacking tools, exploits, zero-days, and malware, but no actual hacking tools. In total, WikiLeaks leaked 8,761 files, among which one stood out among the most.

Weeping Angel developed together with UK's MI5

The tool is named Weeping Angel, which according to leaked files, the CIA developed together with Britain's MI5/BTSS department.

For installation, field agents need physical access to the Samsung smart TV in order to perform a factory reset and load Weeping Angel via the USB port. Another installation method may be supported, but was not mentioned in the leaked files, which WikiLeaks says it redacted.

Once installed, Weeping Angel could perform a series of actions. According to the tool's documentation, these are some of Weeping Angel's capabilities:

  •     Extract browser credentials or history
  •     Extract WPA/WiFi credentials
  •     Insert Root CA cert to facilitate MitM of browser, remote access, or Adobe application
  •     Investigate the Remote Access feature
  •     Investigate any listening ports & their respective services
  •     Attempt to override /etc/hosts for blocking Samsung updates without DNS query and iptables (referred to by SamyGo)
  •     Add ntpclient update calls to startup scripts to sync implant's system time for accurate audio collection timestamps

Weeping Angel transforms smart TV into listening bug

The last line in the list above refers to the tool's audio collection capabilities. According to leaked documents, Weeping Angel comes with a fake "Off mode" which turns off the On/Off LED but keeps the TV running.

This allows Weeping Angel to collect data via the smart TV's built-in microphone, used normally to power the device's voice recognition feature. All audio data is logged and sent to a remote server via the smart TV's Internet connection.

The earliest timestamp mentioned in the leaked documents reveal the tool was being under active development on June 16, 2014, when MI5 experts helped add new feature and improve others (including the fake Off mode).

Weeping Angel to-do list, limitations

The documents also include a list named "ToDo / Future Work," containing features the agency wanted its developers to create.

  •     Build a console cable
  •     Turn on or leave WiFi turned on in Fake-Off mode
  •     Parse unencrypted audio collection
  •     Clean-up the file format of saved audio.  Add encryption??
  •     Streaming audio
  •     Video capture / Video snapshots
  •     Samsung offers remote support – is this an area of functionality to investigate?
  •     Is the browser or any default apps vulnerability to MitM attacks?
  •     Disable auto-upgrade by changing the configuration file

Another list detailed bugs and limitations that agents should take into consideration when deploying the tool.

  •     Updating firmware over internet may remove implant (not tested) or portions of the implant
  •     Firmware version 1118+ eliminated the current USB installation method
  •     Blue LED on back remains powered when in Fake-Off mode
  •     WiFi interface is disabled in Fake-Off mode
  •     Max possible storage usage is 700MB (of 1.6GB).  Increasing requires a change to (& recompile of) the source.
  •     In Fake-Off mode, the Samsung and SmartHub logos are not shown.

Samsung F800 smart TVs affected

The only Samsung smart TV model mentioned in the documents is Samsung F800. Other smart TV series (presumbly the Fxxxx line) are most likely affected as well.

The documents reveal CIA operatives tested the tool on firmware versions 1111, 1112, and 1116, while firmware 1118 removed the USB installation method.

Wikileaks said it came into possession of the CIA hacking tools from government contractors and hackers. It is unknown when the documents were stolen, but it's very likely the CIA upgraded Weeping Angel since 2014 with new features and support for newer firmware versions.

In February 2015, Samsung warned customers that its smart TV may accidentally collect private conversations via its voice recognition feature.

Photo credits: Kārlis Dambrāns

Related Articles:

iPhone X, Galaxy S9, Xiaomi Mi6 Fall at Pwn2Own Tokyo

Flaws in Popular SSD Drives Bypass Hardware Disk Encryption