WikiLeaks just released thousands of pages of documents that bring to light a lot of information about the government’s capability to hack into almost anything with an internet connection.
The CIA, which engineered the backdoors and software revealed in the report, has ways into smart TVs, smartphones, and the most basic levels of various operating systems, as well as methods of breaking encryption.
One particularly talked about attack has been Weeping Angel, a tool that puts one particular model of Samsung Smart TVs (the F8000) into a fake sleep mode that turns off the screen and the lights while leaving the camera and the remote control microphone active.
Weeping Angel: Not the big threat
Weeping Angel sounds, and functions, just as frighteningly as its villainous namesake from Doctor Who. That doesn’t mean it is without limitations.
The leaked reports, dated 2014, indicate that the spy software has to be installed with a USB stick and can’t be loaded remotely. That was 2014, however, and Forrester IoT security analyst Merritt Maxim says that in 2017 it’s entirely plausible software like that could have evolved to allow remote installation.
See: Wikileaks’ CIA hacks: Apple says it’s already fixed many of the flaws mentioned (TechRepublic)
The CIA has refused to comment on the matter, so we have no idea whether such software was used on US citizens. But the CIA isn’t who you should be concerned about.
“Hearing that a given device has a security vulnerability does not surprise me anymore, unfortunately,” Maxim said.
He points to a lack of standards and certifications in the IoT world as a source of the problem, but he also doesn’t think issues like the Mirai Botnet or Weeping Angel are going to stop the growth of the IoT. “The business benefits of connected devices means that it will be very hard for any organization to impede the deployment of IOT purely on security concerns.”
See: Here are the biggest IoT security threats facing the enterprise in 2017 (TechRepublic)
The Internet of Things is, in a lot of ways, like the early days of the internet: A technological wild west largely devoid of industry standards, regulations, or lawmen to keep people safe. It’s still the early days and that means there’s a lot to be gained and a lot of risk.
Keeping prying eyes out
IT professionals are the enforcers of the IoT world, and it’s their job to keep the ‘net safe from spies, bots, hackers, and leaks. Doing so can be rough when there’s no universal standard, but that doesn’t mean action can’t be taken at all.
- Be sure to keep all internet-connected devices up to date on firmware and security patches.
- Monitor network traffic for irregular devices or usage. If anything sticks out investigate it right away.
- The IoT includes smartphones, which means a robust BYOD policy needs to be in place to keep the IoT safe.
- Remain vigilant: Internet-connected devices are also a doorway into the rest of the network.
The three big takeaways for TechRepublic readers:
- Wikileaks released a new trove of documents, which contained evidence that the CIA has developed software capable of breaking into IoT devices and spying on their owners using cameras and microphones.
- The CIA isn’t necessarily the biggest concern: It’s that tools capable of hijacking devices already exist, meaning others could develop them.
- IT professionals need to be proactive on security. Keep devices up to date, keep close tabs on the network, and make sure robust policies are in place for any internet-connected devices.