Blog: Internet Of Things

Weeping Angel. Old News?

Ken Munro 08 Mar 2017

We read with great interest the unfolding story of Wikileaks CIA data dump “Vault7”. What stood out for us was “Weeping Angel”. A piece of software that could subvert and use smart Samsung TVs as covert listening devices.

Sound familiar? It does to us:

  1. https://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you/
  2. https://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you-update/
  3. https://www.pentestpartners.com/blog/samsung-tv-voice-encryption-update-fixed-but-not-quite/

OK, our Samsung TV security research was never going to be coded into a usable app or product, but based on what we found it would be easily do-able. We did however create a covert “listening” app for Android phones, purely as a PoC for the BBC, there’s a nice video here: http://www.bbc.co.uk/news/technology-35639549.

What does the leaked info actually tell us about Weeping Angel?

After looking at the engineering notes (https://wikileaks.org/ciav7p1/cms/page_12353643.html) our first impression is that its more a collection of notes than a proper guide. It reads more like something that they’re working on, rather than a final thing:

  • There seems to be no dropper indicated: there’s allusion to a USB solution, which was “fixed” in a firmware update​.
  • It appears to be installed as an app, so in theory they would need to gain physical access to your TV (not beyond the realms of possibility).
  • It uses Wi-Fi to send audio out, the implication is that a wireless access point is set up near to talk back to (there’s a lot of talk about making this persistent).
  • The source code came santised from “the UK” minus comms and encryption – this is more important to me – it implies that MI5 already had this as a solution.

 

Weeping Angel summarised:

So in essence (from what little information we have):

  1. It’s an app installed on the TV by an unknown vector – most likely in person
  2. It has a pseudo off mode where it looks like it is switched off and it can listen and receive audio.
  3. It sends the audio via wireless to a local wi-fi network, which would probably have to be set up.
  4. Once installed it looks like it would be a proper drop box – it could allow command execution and file transfer.