First guest post!
This post comes from Kyle Helm, from the Royal Military College of Canada. Kyle is currently working on his Master’s in Computer Engineering with particular emphasis on Computer and Network Security.
Is my Smart TV Spying on me?
The answer is probably not, let me explain…recent headlines have naturally been full of doom and gloom but one that caught my eye (and many others) was the most recent WikiLeaks publication under the title of “Vault 7”, this leak while certainly substantial may not be the earth-shattering news that some seem to think it is.
What you may have heard or read already are things like “The CIA has bugged all Samsung Smart-TVs” or “The CIA is spying on Americans everywhere” or some such headline that makes it sound like everything with an electrical current may be watching you. I think it is important to say right now that you can ignore all of these headlines, or YouTube videos etc because well frankly they are bull-shit.
So what did get leaked? Well it amounts to essentially part of (a large part) of the CIA’s toolbox in the field commonly referred to as “hacking”. Tools, exploits, and other content that is used to (a) compromise a target, (b) solidify control of that target, (c) Maintain command and control of that target and a variety of helper tasks that all boil down to gaining intel from a target which is somehow networked or computerized whether that be a one time exfil of files, using that device to monitor the physical world, using that device as a stepping stone to another device, damaging a device or operation, or simply setting up a way in for later if they do decide they want something. Now all of this may sound scary to those that do not have real exposure to Computer and Network Security, but really it is all pretty standard fare and no need to panic.
So “hacking” what is it? Well it sure as shit isn’t what you see in the movies and on TV with someone on either side and whoever can type faster wins (what it is not http://www.hackertyper.com/ ). Really it is hundreds of hours of careful study of software, networks and systems looking for vulnerabilities. A vulnerability being a way in which is a result of someone not setting something up properly (you should really not keep default passwords on things), or it may be something wrong with a piece of software (say some server software such as a web-server) that can potentially be exploited. These vulnerabilities when found vary in their value depending on what they are, do they let us take complete control of the box, or just maybe let us crash the box, or even just the vulnerable component? or anywhere in between. This means that when you find a vulnerability in a piece of current software (for example let us say you found a vulnerability in the latest version of Windows 10 that lets you steal Administrator privileges from being a simple user) that knowledge both of it’s existence and how to exploit it is worth more than gold. You cannot simply tell everyone because then Microsoft finds out and they patch it, now your exploit is near worthless. What all this boils down to is teams of people that work in this domain hoard these things for their own use (or sell them to the highest bidder), they want to find their own vulnerabilities, build their own exploits and their own specialized set of tools. This toolbox is what was leaked, which in essence shows us a list of capabilities that the CIA has within this domain. If you dove into any intelligence agency (Canada’s CSE for example) or even some of the more sophisticated organized crime groups you would find much of the same.
So back to the original question, am I being watched? Well to be honest I cannot answer that for certain, I don’t know who you are, what you have done, where you are, etc. What I can say is that this leak is comprised of a list of capabilities and no indication of how, when, or where those capabilities have been or will be employed. What I can also say is that the CIA is focused in foreign intelligence, and is not permitted to conduct operations on American soil. By that mandate yes they can have assets in the US, and servers which they employ as they reach out to conduct operations but they cannot bring those capabilities to bear against targets in the US. So to the question of am I being watched, well I do not know for sure but unless you are living outside of the US and could reasonably pose a threat to the US, its interests or its allies then probably not. At least not by the CIA.