Weeping Angel
https://wikileaks.org/ciav7p1/cms/page_12353643.html
Here's a quick writeup on Weeping Angel from V7.
Malware for Samsung Televisions, as of June 16th 2014 it was functional but primitive.
131GB of Audio a year can be collected per unit (250kB/minute ogg compression at quality 5)
Has noise cancellation.
EDB(CIA Embedded Development Branch) recieves the sourcecode from the UK(Presumably MI5/BTSS) with comms and encryption removed. This means MI5 developed it initially and at some point the CIA got involved in this project.
>ToDo / Future Work
>Build a console cable
Probably for debugging and development of further exploits and other todo's.
>Parse unencrypted audio collection
This would help them limit the amount of data collected, not for privacy but so they remain undetected.
>Clean-up the file format of saved audio. Add encryption??
If anybody stumbled across the files they could play them, encryption would make it much harder, if they can play them it's obvious what those files are and the entire scam is busted.
>Streaming audio
For realtime monitoring or when you don't want to be busted saving your audio files on your targets TV.
>Video capture / Video snapshots
Self explanitory.
>Samsung offers remote support – is this an area of functionality to investigate?
Update functions are often used as vectors for exploit because they typically have access to the hardware as opposed to userland which can only access the operating system (without further exploits) This could also be used for data exfiltration if they can get the wifi problem sorted out.
>Is the browser or any default apps vulnerability to MitM attacks?
It is common to use pre-installed apps as they are often not updated or the code is garbage. Pre-installed apps also often come from 3rd parties which means different standards for code-review.
>Disable auto-upgrade by changing the configuration file
Make it so future updates to the device (from the user or factory) can't break their installed malware
Since 2014 most/all of these have probably been addressed. Another thing to think about, 2014 was a while ago and there are glaring downsides to this method of collection (namely the amount of audio, the right people are going to notice 131GB of data a year). A simple fix for this with todays technology would be to use the hardware responsible for recognizing phrases (ex 'Ok Google') to perform speech to text analysis (highly accurate) and send the text of the conversation instead of the audio. This would save a ridiculous amount of data (maybe over 90%) so there's no way they're not doing this. Once it's speech to texted and encrypted there's no telling what it is.
>Noted Anomalies or Limitations
>Updating firmware over internet may remove implant (not tested) or portions of the implant
This is why they want to disable auto-upgrade
>Firmware version 1118+ eliminated the current USB installation method
This is why they are going to target the remote-support and auto-upgrade functions
>Blue LED on back remains powered when in Fake-Off mode
A user or someone looking for things out of place might notice this, it's bad for business (if you're the CIA)
>WiFi interface is disabled in Fake-Off mode
This is bad for realtime monitoring (streaming audio) and data exfiltration in more modern schemes which likely include speech to text analysis
>Max possible storage usage is 700MB (of 1.6GB). Increasing requires a change to (& recompile of) the source.
Without addressing the data exfiltration problem (wifi being disabled, no streaming capabilities) there is a limit to the amount of surveillance that can be accomplished without sending an operator to the site(bad for business if you're the CIA).
>In Fake-Off mode, the Samsung and SmartHub logos are not shown.
Again, something someone might notice that needed to be fixed before this Proof of Concept is widely deployed.