Published August 06, 2013
Perhaps you're not worried about the National Security Agency tracking your phone calls and e-mails -- but what if they were watching you in your PJs on your couch?
It may sound like something out of Mission Impossible, but it's the stuff of fact, not fiction.
Last week, two security researchers from iSEC Partners reminded us that today's Internet-connected smart TVs can be hacked. At the Black Hat security conference in Las Vegas, the pair explained how they found loopholes in older Samsung models and were able to turn on a set's video camera without the user's knowledge. Such a proof-of-concept attack has been demonstrated before, and Samsung reportedly has closed the loopholes. (Notice that new Samsung sets have a camera that can be flipped up to point at the ceiling.)
But researchers point out vulnerabilities like this all the time. The practical question is, would anyone do this in the real world?
In fact, the U.S. government has demonstrated that it has just such a capability as part of its ongoing cyber espionage battle with foreign governments. Security analysts say the sophisticated spyware dubbed Flame was created by government programmers, and among its many features, the program is able to turn on a target's Web cam and record video (all without turning on the telltale flashing recording light). In addition, hackers routinely use programs called remote administration tools (or RATs) to switch on a victim's camera remotely, effectively turning the video camera in an office or living room into a private CCTV monitor.
Maybe all you're guilty of is playing air guitar in the office when the boss is out, but the idea that organizations like the NSA can literally look into American living rooms should disturb most citizens. Making it all the more unnerving is the fact that such programs are nearly undetectable, say security companies.
"Why Flame was found was because it was out of control," says Aleks Gostev, chief security expert at Kaspersky Labs. Gostev warns that Flame was infecting systems for years before it was detected, and that other even more sophisticated programs could already be online monitoring users. Indeed, recent leaks about the NSA's XKeyscore program from Edward Snowden seem to confirm that the U.S. government is attempting to monitor all online traffic -- video is just part of that traffic.
As far as hackers watching you watching TV, in order for those attacks to be successful one has to engage in a chat session or look up a Web page on the television, whereby the malware can infect the set. If you never use your smart TV to look up a sports statistic or chat with friends, you're probably safe from hackers -- but not from the government.
The problem is that the companies behind the video chat software -- Microsoft owns Skype, for example -- have been forced to cooperate with the government. Indeed, according to leaked documents, the NSA has been able to record Skype video calls since Microsoft purchased the company. So there's no need to hack into your TV.
To those who believe such surveillance is worrying but could never be used against them, consider a report this week from Reuters that secret surveillance information from the NSA -- which is only supposed to be concerned with foreign security threats -- is being used by local law enforcement and the Drug Enforcement Administration in the United States to make arrests. The source of the information is never revealed, so its admissibility cannot be questioned in court, according to the report.
So should we go back to dumb TVs and stay off the Internet? Should you never allow a Web cam into the house?
I love video conferencing. It's the best way to communicate with family and friends, and I'm not about to give it up. I do think we should be a lot more skeptical about what government agencies are up to online. And until we find out more, when it's supposed to be off I'm putting tape over the TV's camera.