The latest tranche of confidential documents released by WikiLeaks has demonstrated that the CIA and MI5 have developed techniques which enable them to use Internet of Things-connected devices, such as smart televisions, for surveillance purposes. This should serve as the starkest reminder yet to device manufacturers and their users that alarming security holes remain, which could have dire consequences if these techniques fall into the wrong hands. This is according to app security specialist Promon.
According to the released data, the CIA has developed a programme known as Weeping Angel, which can attack a Samsung television set so that it appears to be switched off, but can still monitor and record conversations.
Although the CIA has claimed that this would be used largely as part of counterterrorism procedures, the revelation is a concerning indicator of what could be done by those with more sinister motives.
Tom Lysemose Hansen, founder and CTO at Promon, said: “Weeping Angel has provided yet another example of what hackers can do with IoT devices that do not have adequate security measures in place. If government agencies are using such methods for surveillance purposes, then it is sensible to assume that cybercriminals would use similar avenues to conduct their activities.
“This is by no means an isolated revelation. We demonstrated back in November that Tesla cars – and by association any other IoT-connected smart car – could be stolen if cybersecurity measures are not up to scratch. The IoT has almost limitless potential to enhance user experiences, but businesses should not blindly allow its continued proliferation if programmes such as Weeping Angel exist.”
Hansen believes that this latest WikiLeaks release proves that the need for watertight IoT security has reached a new level of importance. With both criminal and state-sponsored IoT hacking now taking place, there is a critical need for device manufacturers and programme and app developers to implement specialist software which is designed to guard against external threats.
He added: “Self-defending software, such as RASP (runtime application self-protection) technology is an option which should be front of mind for decision-makers in IoT-focused businesses. Such solutions can guard the apps and sensitive information held in IoT devices, and can block even the most ingenious attempts to access a device. This works regardless of how inherently insecure a device is, by binding to the specific applications that are in greatest need of protection.”
He concluded: “Weeping Angel has proven that the IoT cybersecurity stakes are higher than ever before. The sooner organisations realise that the power to fight back against those with sinister intentions is in their hands, the better.”