The publication by WikiLeaks of documents it says are from the CIA’s secret hacking program describe tools that can turn a world of increasingly networked, camera- and microphone-equipped devices into eavesdroppers.
Smart televisions and automobiles now have on-board computers and microphones, joining the ubiquitous smartphones, laptops and tablets that have had microphones and cameras as standard equipment for a decade. That the CIA has created tools to turn them into listening posts surprises no one in the security community.
Q: How worried should consumers be?
A: The intrusion tools highlighted by the leak do not appear to be instruments of mass surveillance. So, it’s not as if everyone’s TV or high-tech vehicle is at risk.
“It’s unsurprising, and also somewhat reassuring, that these are tools that appear to be targeted at specific people’s (devices) by compromising the software on them – as opposed to tools that decrypt the encrypted traffic over the internet,” said Matt Blaze, a University of Pennsylvania computer scientist.
The exploits appear to emphasize targeted attacks, such as collecting keystrokes or silently activating a Samsung TV’s microphone while the set is turned off. In fact, many of the intrusion tools described in the documents are for delivery via “removable device.”
Q: What can be done to prevent a compromised internet-connected device from communicating with spies?
A: Not much if you don’t want to sacrifice the benefits of the device.
“Anything that is voice-activated or that has voice- and internet-connected functionality is susceptible to these types of attacks,” said Robert M. Lee, a former US cyberwar operations officer and CEO of the cybersecurity company Dragos.
That includes smart TVs and voice-controlled information devices like the Amazon Echo, which can read news, play music, close the garage door and turn up the thermostat. An Amazon Echo was enlisted as a potential witness in an Arkansas murder case.
To ensure a connected device can’t spy on you, unplug it from the grid and the internet and remove the batteries, if that’s possible. Or perhaps don’t buy it, especially if you don’t especially require the networked features and the manufacturer hasn’t proven careful on security.
Security experts have found flaws in devices – like WiFi-enabled dolls – with embedded microphones and cameras.
Q: I use WhatsApp and Signal for voice and text communication because of their strong encryption. Can the exploits described in the WikiLeaks documents break them?
A: No. But exploits designed to infiltrate the operating system on your Android smartphone, iPhone, iPad or Windows-based computer can read your messages or listen in on conversations on the compromised device itself, though communications are encrypted in transit.
“The bad news is that platform exploits are very powerful,” Blaze tweeted. “The good news is that they have to target you in order to read your messages.”
He and other experts say reliably defending against a state-level adversary is all but impossible. And the CIA was planting microphones long before we became networked.
Q: I’m not a high-value target. but I still want to protect myself. How?
A: It may sound boring, but it’s vital: Keep all your operating systems patched and up-to-date, and don’t click links or open email attachments unless you are sure they are safe.
There will always be exploits of which antivirus companies are not aware until it’s too late. These are known as zero-day exploits because no patches are available and victims have zero time to prepare. The CIA, National Security Agency and plenty of other intelligence agencies purchase and develop them.