A Closer Look at the TVs From the CIA 'Vault 7' Hack

The Samsung models cited in leaked documents were among the first to have built-in microphones and cameras

F8000 Samsung

Yesterday, those of us already concerned about the amount of personal data being collected by smart TVs and other devices got a bit of a jolt when a dump of new documents by WikiLeaks claimed that the CIA had hacked into Samsung smart TVs, along with other devices.

The CIA hasn't said whether the trove of documents, dubbed "Vault 7," is authentic or not, but the material indicates the CIA devised a way to turn these televisions into bugging devices, using the built-in microphones to eavesdrop on any conversation within earshot.

During a live-streamed press event the day after the leaks were released, WikiLeaks founder Julian Assange said the group has decided to work with technology companies so they can fix security issues with their products before more information is released.

"We have decided to work with [manufacturers], to give them some exclusive access to some of the technical details we have, so that fixes can be developed and pushed out," Assange said.

Security professionals say the smart TV attack probably targeted specific espionage targets. "Nothing in this suggests it would be used for mass surveillance," says Sarah Zatko, a information-security expert and the cofounder of Cyber Independent Testing Lab (CITL), a nonprofit software security-testing organization that has partnered with Consumer Reports to create a new privacy standard. "I highly doubt you're one of the targets unless you have some pretty big secrets."

More details on the CIA program may emerge. However, the information in the Vault 7 leak highlights the fact that consumers are inviting more microphones and video cameras into their homes, in devices that are connected to the internet and potentially vulnerable to hacking.

The Samsung TVs cited in the leak were outliers when they came on the market and were tested by Consumer Reports in 2012 and 2013. Today, smart TVs are everywhere, and nearly all of them capture and share information about what you're watching and what online sites you're visiting. (We've been offering advice on how to shut off a TV's snooping features since 2015, and updated our instructions just last month.)

Recent data shows consumers have serious concerns about privacy and security. In a nationally representative CR Consumer Voices Survey conducted in January, 65 percent of respondents told us they are either slightly or not at all confident that their personal data is private and not distributed without their knowledge.

The CIA news "underscores the urgent need for strong privacy protections in the digital marketplace, and CR will work tirelessly to advance the rights of consumers to safeguard themselves from intrusion and abuse, whatever its source," Marta L. Tellado, President & CEO of Consumer Reports, says.

Meet the Hacked Samsung Smart TVs

It's not clear how many Samsung smart TV models may have been compromised, but the F8000 series was named in the WikiLeaks material.

We remember the F8000 series well—they were good TVs. We tested the 55-inch 55UNF8000 and the 65-inch UN65F8000 sets back in 2013. Both were top-scoring flagship 1080p models in CR's TV ratings.

These sets delivered excellent high-definition picture quality, with razor-sharp detail and excellent color accuracy. More to the point considering the WikiLeaks news, they had some of the most advanced internet features we'd seen at that time.

Both televisions could access a WiFi network, but only once the user plugged in a WiFi adapter into one of three USB ports. Most importantly, the TV had an embedded microphone, and another mic in the remote. The TV also included a built-in video camera. These components were part of Samsung's "Smart Interaction," a feature to let users control the TV using hand gestures or voice commands.

We didn't think very much of the gesture control, which was clunky, and the TV's trick of using facial recognition to log you into your account bordered on the creepy. But the voice feature was useful, especially when you were searching for content. (Yes, the microphone worked reliably.)

We've asked Samsung which other models could be affected by the purported CIA hacks, and are waiting for a response. In the meantime, the company sent this statement: "“Protecting consumers’ privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter. The report describes a malicious software installed through a physically connected USB drive which applies to firmwares on TVs sold in 2012 and 2013, most of which have already been patched through a firmware update."

What the CIA Did—And Didn't Do

The WikiLeaks documents include engineering notes about the smart TV hacking, which provide some details about what the CIA was allegedly able to pull off. Working with Britain's MI5 secret service, the CIA developed several capabilities.

First, the agencies created a "Fake Off" mode that tricked users into thinking their TVs were turned off when they were still secretly recording audio. The documents also claim that CIA hackers managed to prevent a TV from automatically updating its firmware. The malware worked on firmware versions 1111, 1112—the firmware on the sets we tested—and 1116, but versions 1118 and higher apparently blocked it.

The WikiLeaks document states that the CIA's malware—dubbed Weeping Angel, to the consternation of many Dr. Who fans—was delivered by a USB drive plugged directly into a TV. According to Zatko, that's one of several clues that this malware was developed to spy on a specific target.

"When your average cyber criminal launches a similar attack, they'd prefer to do it over the wire," she says. "The CIA, on the other hand, wouldn't want a cyber attack to be traced back to the United States. Doing this through a remote exploit might have opened them up to greater chance of attribution, or maybe they were just confident they would have physical access [to the TV]".

The documents also included a to-do list. When Fake Off was running, a blue LED light on the back of the set would remain illuminated. It was a telltale sign that the television wasn't completely powered down. According to the documents on WikiLeaks, hackers planned to look for a way to shut that light off. The CIA software team also wanted to devise a method for capturing video and photos from the television's camera.

According to the documents, the group wanted to learn whether Samsung could provide technical support to the TV remotely and whether that capability could be hacked. And they intended to investigate whether the TV's web browser or any of the default apps on the set were vulnerable to a "man-in-the-middle" attack, in which data would be intercepted as it passed between the TV and the internet, without tipping off the user.

What Consumers Can Do

Consumers can follow our advice on how to turn off the snooping features in TVs made by Samsung, LG, and Vizio, leading players in the U.S. market.

Those settings may not stop the type of attack the CIA apparently devised, but they should stop the TV from collecting data on behalf of the manufacturer and third parties.

When the F8000 was introduced, users had to say "Hi, TV" to activate the TV's microphone. That seemed to protect user privacy. But in 2015 Samsung warned customers, "if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted" to Samsung and third parties, including the company providing the technology behind voice recognition.

TV makers also have methods for tracking what you watch on television; the information is transmitted back to the manufacturers or their partners.

But changing the privacy settings on your TV probably won't protect against malware. The alleged CIA documents highlight the fact that our homes are becoming target-rich environments for criminals, filled with connected devices that provide lots of convenience, but very inconsistent security. "There’s such a wide variety of devices that are placed in our homes in positions of trust," Zatko says, "and the vendors generally gave little to no thought in how they could be secured against misuse."

One wise move is to keep the firmware up-to-date on all your connected devices. This will ensure that you benefit from security fixes put in place by the manufacturers. On a Samsung television, do this by going to the TV's main menu, finding Support, and selecting Software Update.

If your television is too old to accept an update, we advise returning the TV to its factory default settings. You may lose your TV's picture settings, but a reset should wipe out any malware installed on the television.

Or, you can follow Zatko's lead and go retro. "I don’t have a smart TV or smart thermostat because it's not worth the security risk," she says. "My advice? Buy the smart device if you really need the smart features, but if the dumb one will do, go for that."

Note: This article has been updated to include comments from Julian Assange, as well as additional statements from Samsung.

James K. Willcox

I've been a tech journalist for more years than I'm willing to admit. My specialties at CR are TVs, streaming media, audio, and TV and broadband services. In my spare time I build and play guitars and bass, ride motorcycles, and like to sail—hobbies I've not yet figured out how to safely combine.