WikiLeaks released details yesterday of a broad slate of hacking approaches used by the US's Central Intelligence Agency (CIA) to install spyware on electronic devices. According to 8,761 documents published by WikiLeaks, the CIA used malware to target Windows, Android and iOS devices, such as computers, tablets and smartphones.
In addition, the CIA allegedly colluded with British intelligence organizations MI5 and GCHQ to develop spyware for Samsung Electronics Co. Ltd. (Korea: SEC) TVs. (See WikiLeaks Strikes Again.)
The Samsung F8000 range of Internet-connected smart TVs was of particular interest, as it includes a microphone for audio commands. Rather colorfully codenamed "Weeping Angel", the spyware enabled a "fake-off" mode, which made the TV look like it was off when it was actually recording audio -- which was then pushed back to CIA servers over the Internet, via the user's WiFi connection when the TV was switched back on.
The CIA was also working on advanced capabilities aimed at using video cameras in a similar fashion, and even being able to transfer information in the "fake-off" mode. Given that the information leaked is from 2014, it is certainly possible that the agency has been able to develop that capability, and is pulling video off hacked cameras on smartphones and other devices when users think the phone is off. The CIA has also very possibly extended its reach to other voice-activated services, such as Siri, Cortana, Google Home and the well received Amazon Echo with its Alexa voice-controlled assistant.
While government monitoring of citizens is a sensitive political subject, with arguments for (based on national security and foiling terrorism) and against (the right of citizens to privacy and the misuse of personal data), these are moral and legal arguments.
From a more market-oriented perspective though, it raises a new set of questions for service providers and device manufacturers. Apple Inc. (Nasdaq: AAPL)'s refusal to help the FBI hack its devices created a media circus, but in the end, did not really clarify its legal obligations since the FBI withdrew its case after finding another way to crack the encryption.
So should operators, media companies and device manufacturers work with spy agencies? It's probably going to depend on legal precedents in each country, the individual circumstances of each request, the nature and positioning of the brand and, in many countries, the political realities of doing business there.
Certainly some companies have taken it upon themselves to collect sizable amounts of data on their customers. Google (Nasdaq: GOOG) is a prime example, building a targeted advertising business worth billions on the back of it -- but that's with user permission, though arguably not many understand what exactly they are agreeing to. And of course, there are a number of hackers, spyware and hijacking apps out there that just take without asking.
Others, such as smart TV company Vizio, have collected data without permission and have paid for it -- quite literally. Vizio Inc. had to pay $2.2 million to settle charges brought by the Federal Trade Commission and the New Jersey Attorney General's Office. (See Spying Not So Smart on TVs, Finds Vizio.)
This recent disclosure just adds to a broad set of cybersecurity concerns steadily building among media companies across the value chain. The broadcasting industry is in the midst of a major transformation from SDI to IP, where servers and other broadcast equipment are becoming IP-addressable. This helps with flexibility and efficiency, but does create a target for hackers. The most widely quoted example is the French channel TV5 Monde, which was hacked soon after its launch and broadcast malicious content for 18 hours before engineers were able to regain control.
Similarly, service providers are moving quickly to enable OTT services and multiscreen video capabilities, and are increasingly looking at cloud technologies to enable these services. Security concerns are not primary in these initiatives; time-to-market is often the driving force. Successful attacks and hacks are growing steadily in the media industry, with UK broadband provider TalkTalk a recent high-profile target. TalkTalk was fined £400,000 ($486,912 at today's exchange rate) for security failings leading to the theft of 157,000 customers' personal data. The provider lost customers and revenue, with some estimating the damage at £40 million ($48.7 million at today's exchange rate).
Charter Communications Inc. is another service provider that reportedly suffered a DNS hack in 2014, though to the best of our knowledge this has not been confirmed by the company.
Speaking at an industry panel some months ago, Helen Stevens, director of broadcast operations at UK broadcaster ITV plc (London: ITV), said that it takes 170 days on average for an organization to even realize it has been hacked. Yahoo Inc. (Nasdaq: YHOO) is a good example, only realizing years later that its subscriber accounts had been compromised. (See Another Hack Announced by Yahoo.)
Stevens also said that ITV sees 450 DDoS attacks per day, and is always afraid something really destructive will make it through.
Jeff Dow, Global CISO at 21st Century Fox , echoed her concerns, saying his main concern is that the hackers can get into a machine with admin privileges and then access production servers.
All of this underscores the urgent need for the media industry to start looking not only at protecting content but also the security of its devices and infrastructure. It may be that the CIA monitoring us is the least of our worries, both as citizens and as members of the media value chain.
— Aditya Kishore, Practice Leader, Video Transformation, Telco Transformation