Many heist movies have a familiar plot device. A savvy criminal team, with an eye on jewels or a bank vault, will identify a surveillance camera guarding their target. They will then devise a plan to spoof camera footage, fooling unsuspecting security guards into believing that everything is normal as the thieves make off with their loot. The basic script is so familiar in the heist genre that it has become a cliché.
But it just so happens that the CIA has used a similar technique, which it code-named Dumbo, according to documents released by WikiLeaks. The Dumbo instruction manual explains that, before the spy agency sends a team of officers into a building, they can shut off Internet Protocol (IP) cameras or microphones within, corrupt video footage or “deter home security systems that may identify officers or prevent operations.” The last of the files on the WikiLeaks website relating to the IP camera hack date from July 2015 while the earliest documents are from 2012.
It is not the first IoT-related exploit that WikiLeaks has recently released related to the CIA. Earlier this year, the whistleblower agency released a trove of other files purportedly from the CIA, including malware known as Weeping Angel that gives intelligence officials the ability to secretly listen to the microphone found within Samsung smart TVs. The documents for both the Dumbo and Weeping Angel exploits explain that a USB thumb drive is required to launch the attacks.
[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]
Earlier, WikiLeaks announced it had posted a CIA document dating from 2014 mentioning the agency’s intent to potentially target vehicles, industrial control systems and, more broadly, “The Things in the Internet of Things.”
It’s perhaps not surprising that the CIA would develop exploits for IP cameras. Security experts have been working on IP camera hacks for years.
In 2013, Craig Heffner, a security researcher who formerly worked at the National Security Agency found vulnerabilities in IP cameras from a range of vendors. “It’s a significant threat,” he told Reuters. “Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.”
Two years later, independent cybersecurity engineers Van Albert and Zach Banks demonstrated at the Defcon security conference how they were able to loop surveillance cameras hooked up to an Ethernet cable.
IP cameras, along with routers and DVRs, were also one of the most common types of devices behind the 2016 Mirai botnet, which caused significant internet outages in the United States and Europe.