Hack Your Own Samsung TV With The CIA’s Weeping Angel Exploit

[Wikileaks] has just published the CIA’s engineering notes for Weeping Angel Samsung TV Exploit. This dump includes information for field agents on how to exploit the Samsung’s F-series TVs, turning them into remotely controlled spy microphones that can send audio back to their HQ.

An attacker needs physical access to exploit the Smart TV, because they need to insert a USB drive and press keys on the remote to update the firmware, so this isn’t something that you’re likely to suffer personally. The exploit works by pretending to turn off the TV when the user puts the TV into standby. In reality, it’s sitting there recording all the audio it can, and then sending it back to the attacker once it comes out of “fake off mode”.

It is still unclear if this type of vulnerability could be fully patched without a product recall, although firmware version 1118+ eliminates the USB installation method.

The hack comes along with a few bugs that most people probably wouldn’t notice, but we are willing to bet that your average Hackaday reader would. For instance, a blue LED stays on during “fake off mode” and the Samsung and SmartHub logos don’t appear when you turn the TV back on. The leaked document is from 2014, though, so maybe they’ve “fixed” them by now.

Do you own a Samsung F-series TV? If you do, we wouldn’t worry too much about it unless you are tailed by spies on a regular basis. Don’t trust the TV repairman!

57 thoughts on “Hack Your Own Samsung TV With The CIA’s Weeping Angel Exploit

  1. >firmware version 1118+ eliminates the USB installation method
    So they say, but can we be certain? Proprietary firmware makes it difficult to know such things. Perhaps the key sequence was merely changed, and documentation for it disappeared.

        1. The problem with these Conspiracy Theories and the tin foil hat crowd in general, is so may of their “theories” (hypotheses, hair brained ideas) require thousands of people to keep a secret. Obviously this secret had too many people know about it, because it got out. In general, the spooks are going to exploit sloppy coding on their own, just to keep the leak footprint low, regardless of the willingness of the company to help.

      1. Knowing Samsung:
        #1 reason was widespread availability of Samsung TVs
        #2 was poor programming on Samsung’s part (Samsung is horrible at software… I don’t know how many times they’ve worked around bad drivers by hacking up the Android framework – WHEN THEY WROTE THE DRIVER IN QUESTION. God forbid they do something that makes sense, like having the light sensor HAL report a proper maximum value instead of something bogus that the Android framework was hacked to ignore.)
        Cooperation didn’t come into play here… Samsung are horrendously uncooperative and stubborn in general. They don’t like government entities they can’t buy/bribe.

      1. How would you turn something on remotely when there is no remote connection to begin with? If there is no cable attached to the RJ45 jack and no WiFi Access data entered in the device this gets very difficult. You would need a Wifi Brute force cracker included in the factory firmware to begin with.

      1. Saved a 47-inch TV* from work’s scrap pile for 20p** for a pack/strip of resistors from Maplin (The UK== to RadioShack now mostly a gadget shop, still sells resistors at high prices).

        **$0.26? about $0.05 each resistor

        *Not for use as a TV, not even online or catchup, its purpose is purely a PC monitor for youtube, Hackaday, a few other favorites. My first and last phone-call to TV-licensing had them petrified, the way I described not only the law (hidden on their site + OFCOM 2003+amendments on official .gov sites) I told them what a waste TV is and what I’d hope got dropped on the BBC and other stations. They don’t even question, they know I have a screen+PC etc, they know I don’t need a license (I’ll never receive programmes, even catchup doesn’t interest me since it is/was the same rubbish anyway), I have asked (invited) the licensing board over, 7+years later they haven’t visited LOL. Sources of news is via Newspapers (Online and, paper: that way I pay towards those who I feel deserve so), via forums and blogs (Here at HAD). Entertainment is via those whom independently use youtube and other video hosting sites (since I can choose based on multiple variables and not just because, “I can choose what I want to watch”). Work and around friends where I cannot get away from TV, I find I heard about something on the news usually before it was shown and/or have predicted such things due to current worldly affairs…. Blah Etc….

    1. Not entirely true. We offer tv repair services, I was trained by a guy that had been doing it for 30 years when I started, probably do 2 or 3 a month. Unfortunately they’re isn’t much money to be made. Yes the parts are fairly cheap, but by the time I charge labor it’s rarely under $100. Expensive flat screens don’t get damaged much, at least around here thsy’re usually wall mounted out of harms way. Most of what I see is cheap 32″-48″ tvs someone put on a cabinet and a cat or kid knocked it over, the boards shorted on impact and fried a bunch of stuff. Usually it’s in their best interests to put that $ towards a newer, flatter, feature filled model.

  2. Law I want to see in place: every device manufacturer that bundles bluetooth, wifi or other networking components capable of uploading data must provide instructions and tools to reliable remove/destroy those hardware components.

    1. I think Congress passed an “opposite law” back in the ’90’s when they forbid mfgr’s to make it easy for consumers to be able to modify their scanning radios to pick up cellular frequencies. One might argue that the law was specific to scanners and cellular frequencies, but I doubt the Feds would bother.

    2. Law I *don’t* want to see in place: every device manufacturer that bundles Bluetooth, WiFi or other networking components capable of uploading data must collect all personal data and provide it directly to the CIA for free.

  3. I really don’t get all the paranoia around webcams.

    1) who wants to see what you do on your computer… we all know which is enough ;)
    2) traffic would be evident if you have a halfway decent router, I can see what host is sending data to where, and at what rate with mine, and if you setup something like TMG you can setup https sniffing too.
    3) the little led on the webcam would be on for things like laptops/tvs as noted in the article. My paranoid friends say the webcams have a built in function for the man to turn this off, but colour me skeptical.
    4) I dont think anyone wants to see what you are doing on your computer/tv anyway, unless your a spy or drug lord.

      1. the RCMP already openly spies on all these people, why do we need to be paranoid about webcams, when they can quite happily setup a stingray outside your home/hotel/office.

        Harder to detect, likely more valuable and relevant information, including an accurate position of the person.

    1. “If you have nothing to hide you have nothing to fear”
      If you’re comfortable living without privacy that’s your choice.
      There are instances of criminals turning on web cams without turning on the led so I’m not sure why you think this is improbable. You can also just take stills without any outward signs.

      Blackmail & harassment/intimidation are much more likely than government surveillance.

      1. “You can also just take stills without any outward signs.”

        But, according to Hollywood, even webcams emit that Nikon F motor-drive sound when they take pictures. (c:

    2. As fictional as you’d like it to be its unfortunately not, being Joe Blow in the world is good and bad if you happen to be fit for a crime you did not commit but was one of convenience due to your location how would you feel being on the receiving end of something as manipulative.

      1. To confirm your statement:

        It took a 3-second sample ripped from a Dictaphone recording by social services to have I and my brother kidnapped by police and us put in care.

        Yep they coincidentally mis-replayed the relevant beginning and ending of the recording that would otherwise have changed what sounded like a knife wielding maniac’s last words to someone whom corrected their assumption on if they could leave or not (Yep (anti-)social-workers said to my father they were being held hostage by him, to which he corrected them that they were free to go, “If I was holding hostage I’d have a knife in my hand!, you can freely go anytime!”, Highlighted like this sentence is the snippet they played back to the courts that day).

    3. A not so paranoid friend can tell you, the camera has a not so hidden function to turn the LED on. But nobody can force you (or anybody else) to use that function. It’s just connected to a GPIO and the driver can switch it on when it takes data from the sensor. Normally it is not directly connected to the power pin of the sensor.

  4. Weeping Angel? Really? (c:

    It’d be cool if it only monitors you when you’re not watching TV. Though, since I haven’t read the docs, does it only monitor you when the TV is put in standby mode?

  5. Annoying Security Obsessives!

    Ok, so many of you are up in arms about the fact that Samsung left this tv with such easily updatable firmware. I do get it, having people so easily able to spy on you is bad. They do require physical access at least though. Be careful who you invite into your living rooms.

    What about the hacker angle though? I hate the fact that so much capable hardware must go to the trash because it’s software is out of date and unreplaceable. Example… My blueray player used to play YouTube videos before YouTube went through a software revision that obsoleted it. It also has a Netflix app that has no search feature and only gets about 1/2 of Netflix’s content anyway as well as a few other streaming video services which I never subscribed to and I think are probably out of business now anyway. I bet that same hardware would have no problem playing YouTube and all of Netflix again plus maybe even Hulu and Vimeo with a software upgrade. It’s too bad that will NEVER happen!

    I don’t even have to be cheap to care about this. How about taking care of our planet?!?!

    I want open devices with firmwares that are MEANT to be upgraded damnit! No more DRM’d landfill!
    As for security… if it has a mic… all I need is a simple SPST switch in series with it. If it has a camera then how about a manual iris.. just twist to open or close. I will be very impressed with the spy who can circumvent either of those measures!

    1. I agree with the general sentiment. If I were king, I’d make it mandatory for hardware/appliance manufacturers to make firmware source code for EOL’d devices available to the public along with other special tools needed to built them.

      1. I had some of Samsung’s updates go wrong and effectively break my phone and my only option was to reflash it with Odin.
        I hate to say it my Nokia Lumia 920 Windows was far more stable than any Samsung I owned and it just worked reliably until the battery started going out and the USB port died.
        By which time it was already considered outdated so I didn’t consider it worth repairing.
        That was back in the WP7.5 and WP8 days and before MS started pushing ten on everything so I don’t know how good the new Lumias are.

  6. Building an IR transmitter or using a remote from another Samsung these a difficult things pfft!.

    Many people leave USB sticks in TVs
    Most peoples TVs are in shot of a window
    Most of these TVs have a browser
    Many are connected to the net
    Not many people turn things off at the wall anymore.
    Most of these are susceptible to one link rooting

  7. My 2016 Samsung Smart TV runs on a different OS and doesn’t have a built in microphone or camera. Shortly before I bought it, Samsung discontinued support for the Skype app and the next firmware update removed it. Good riddance!

    What I want to hack on it is enabling the DVR function for recording to a USB hard drive. They don’t let North Americans have that function.

  8. In fact, any smart TV or other device with a “programming” or upgrade port has the potential to record data.
    It doesn’t matter if there is no microphone as its feasible to record things like backlight voltage, video level (showing timing of advert breaks allowing channel habits to be determined), feedback signals from the power supply etc.
    This function can be enabled by using either the CDM interface or firmware update port under a small cover even if TV has no USB port, with the “real” port moved down by 5mm in case someone gets curious and removes said cover.
    Also relevant, HDMI can be used to send bidirectional data via the I2C interface as can laptop LCD panels and RAM.
    Think that 24C01 firmware chip is really 1K, think again. 2GB chips can be made using 22nm process to physically resemble more common ones and even present as a 1K but as I found out they can be detected by monitoring power usage which will be higher than the correct chip when writing data for later exfiltration.
    Some manufacturers used to socket these making it ridiculously easy to swap them during mass production.

  9. Surprised at a such a low level operation to bug TV’s. If I had the budget and responsibilities of a major IC agency (and a complete and utter disregard for the 4th Amendment), I’d go far upstream, to the oem firmware installed on all (Samsung) TV’s. It’s entirely possible to carry out using the full scope of CIA’s humint, sigint, & cyberint capabilities, and the result would be invaluable. If you support that sort of thing *Shout out to American taxpayers*.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.