When WikiLeaks published close to 9,000 documents purportedly detailing CIA efforts to hack smart phones and other devices for covert surveillance operations Tuesday, one small part of the leak got a lot of attention: A handful of these documents suggest the CIA was looking to turn Samsung’s smart TVs into remote surveillance devices, activating integrated microphones and recording targets without their knowledge.
Samsung sent Variety the following statement following the original publication of this story: “Protecting consumers’ privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter.”
Josh Yavor wasn’t really surprised by the revelation. The director of corporate security for Duo Security held a talk at the 2013 Black Hat security conference about doing something very similar, demonstrating how Samsung’s smart TVs at the time could be remotely controlled, which included the hijacking of integrated cameras. Samsung later went on to fix that specific vulnerability.
Yavor could not authenticate the documents shared by WikiLeaks Tuesday, but told Variety that a lot of the technical details checked out. “The notes do indicate a strong understanding of the core Smart TV functionality that Samsung built on top of the underlying Linux-based operating system,” he said.
That being said, the documents shared by WikiLeaks seemed to be a bit of a work-in-progress. One of the documents remarks that malicious code had to be installed via USB drive, which would require an agent to get physical access to someone’s home in order to turn their TV into a surveillance machine. However, Yavor noted that this could also just be a first step in the development, and that a full attack may not have been available at the time of writing.
“Ongoing work likely focused on building out all of the scaffolding needed to support more advanced capabilities in the future,” he said. It’s possible that the authors of the documents later figured out a way to install malicious code over the internet, but the documents leaked on Tuesday don’t include any details about this.
It’s also worth noting that Samsung hasn’t been selling the affected TV sets for some time. The company ditched cameras for smart TVs some years ago, and has since been integrating microphones for voice control directly into TV remote controls, where they have to be activated with a special button.
All of this may not completely put consumers minds at rest, but Yavor said Tuesday that there are some simple steps that users of smart TVs and other connected devices can take to minimize the risk of anyone spying on them. These include opting for TVs without apps altogether, regularly installing updates, and not installing apps from unknown sources.
And then, there’s common-sense risk assessment. “Consumers should practice good operational security by considering the implications of where they install or use ‘smart’ IoT devices,” he said. “For example, installing a Smart TV that has a microphone and camera might be an acceptable risk for your living room, but not for a bedroom.”
Updated, March 8: This post was updated with a response from Samsung.