WikiLeaks published the user guide for the CIA Weeping Angel, the Samsung Smart TV Hacking Tool

Pierluigi Paganini April 21, 2017

WikiLeaks published the user guide related to the hacking tool allegedly used by the CIA, code-named Weeping Angel, to hack Samsung Smart TV.

WikiLeaks has published a new document included in the Vault7 archive containing technical details about another hacking tool allegedly used by the U.S. Central Intelligence Agency (CIA). This time, the organization has published information on a tool designed to record audio via the built-in microphone of some Samsung smart TVs.

The tool is the Weeping Angel, it was mentioned the first time Wikileaks published information related to the Vault 7. The Weeping Angel tool is a tool used by the cyber-spies to spy on targets through Samsung smart TVs.

CIA Weeping Angel

The Weeping Angel was based on “Extending,” an implant allegedly developed by the MI5, among its features, there is the ability to record audio via the built-in microphone of the devices.

“Today, April 21st 2017, WikiLeaks publishes the User Guide for CIA’s “Weeping Angel” tool – an implant designed for Samsung F Series Smart Televisions. Based on the “Extending” tool from MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data.” reads the documentation released by Wikileaks. 

WikiLeaks has now released the user guide of the hacking tool that is dated February 2014. The document details the implant developed to exploit Samsung F series smart TVs as a surveillance system that can record audio from surrounding environment and either store or exfiltrate the recordings.

The installation of the Weeping Angel implant requests a physical access to the SmartTV, an attacker can infect the device by connecting a USB device.

“The EXTENDING implant can be installed using a Close Access method. The EXTENDING installer is loaded onto a USB stick. This USB stick is then inserted into the target SAMSUNG F Series TV, and the installer is run. The installer deploys the implant and Settings file onto the TV. EXTENDING begins to run when the TV is next powered on” reads the guide.

The EXTENDING implant can be uninstalled by using either a USB stick containing a certain configuration file or at a pre-configured time.

Data can be exfiltrated later exfiltrated via a USB stick or a compromised Wi-Fi hotspot.

The EXTENDING implant is also able to exfiltrates audio over a Wi-Fi hotspot, to a Live Listening Tool, running on a laptop.

It is interesting to note that developers had been planning to implement more data stealing features to spy on browser data and acquire Wi-Fi credentials.

The US intelligence agency still hasn’t confirmed or denied the authenticity of the Vault 7 files.

Last week security researchers at Symantec and Kaspersky have discovered evidence that links the tools described in the Vault 7 archive and the exploit used by a cyber espionage group named Longhorn.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Weeping Angel, CIA)

[adrotate banner=”13″]



you might also like

leave a comment