Not Completely Safe
By Charles Parker, II; Cybersecurity Lab Engineer

There are few devices that are as well-known and seen virtually everywhere. These are located throughout the bedrooms, living rooms, kitchens, and recreation rooms. In a commercial environment, these devices are in conference rooms and hallways on the business or news channels. In retail there may be a bank of them on a wall, all showing the same thing. As time has passed, the technology has improved significantly. This has affected TVs. There are in the marketplace several manufacturers producing more advanced smart TVs with connectivity. As with any newer technology, people look to exploit any vulnerabilities. The connectivity of the IoT devices, inclusive of the connected TVs, has provided the outlet for this.

There has been malware coded to exploit connected TV vulnerabilities. Until recently, Weeping Angel was previously unknown. This malware was published as part of the Vault 7 Wikileaks. This was coded to attack the connected TV. Granted, the connected aspect for the TV makes this a prime target, this has not had the limelight on it that other attack vectors have.

A Brand New Age
The attackers are always looking for new areas within a system to manipulate. With all of the bug bounty programs in place, this is treated as a challenge by the attackers. With this specific sample, once the TV is infected, the malware is able to exfiltrate information and data. To accomplish this, the malware uses the microphones is the smart TVs to monitor the noise, speech, and other activities in the vicinity of the TV. Any person talking proximate to the TV would be monitored and recorded, without authorization. Without this, user’s owning and being near the smart TVs in their home and office may be spied on without their knowledge. The target smart TVs are the Samsung manufactured models in 2012 and 2013.

Method
This malware was coded allegedly by the CIA in conjunction with the UK’s MI5/BTSS. In effect; this malware makes the user’s TV a bug. This, however, requires physical access to the TV. There has been no evidence this attack could be done remotely or due to an upgrade in the OS. The infection method as shown has been the USB drive.

This attack tricks the user into believing the TV is off when it actually is recording the room’s noise. This begins to work as the user turns off the TV or so they believe. The TV registers as being turned off to the user. To ensure the user believes this, the TV’s LED lights are disabled, much like a RAT. This is the False-Off mode. At this point, the TV is still actively on and monitors the activities near the TV. This works to record these and send them to the CIA servers via the Wi-Fi in a file format. This allegedly also was coded to seek and record user names, passwords, and Wi-Fi keys.

There presently is one limitation due to the TV’s hardware in that the video of the room is not available.

Statistically Significant
The average person would likely not be a target. The CIA breaking into your house, plugging the USB stick into the smart TV, and egressing without being noted would not be a statistically significant event. Then again, it is not probable the CIA would have a person standing in the supply chain, installing this on TVs or a random sample of these.

Remediation
If the user has an affected TV, the user certainly wants to remediate this in some form. By not completing this, the user would only continue to allow the monitoring. The user has a few options to fix this issue. The user may update the firmware over the air (OTA). If possible the TV may receive v.118, which removes the issue. Unfortunately, this may not be sufficient if the COA were to have applied the “prevent updates” version, which would avoid the update being applied.

The only sure way to have the TV reset to the factory set firmware. This appears to be an easy enough task, however, trying to rest the TV to the factory setting takes a bit of work and is not an easy task.

Resources
Brenna, C. (2017, March 8). CIA ‘Weeping Angel’ program can hack smart TVs, WikiLeaks says. Retrieved from http://www.nydailynews.com/news/national/wikileaks-documents-show-alleged-cia-program-hack-smart-tvs-article-1.2991141
Cluley, G. (2017, March 18). Is the CIA’s weeping angel spying on tv views? Retrieved from https://www.grahamcluley.com/cias-weeping-angel-spying-tv-viewers/
Watkins, J. (2017, March 7). Weeping angel malware activates microphone while tv appears off. Retrieved from http://www.governmentpropaganda.net/weeping-angel-malware-activates-microphone-while-tv-appears-off/

About The Author
Charles Parker, II began coding in the 1980s. Presently CP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry. CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels. He has presented at regional InfoSec conferences.