WikiLeaks Exposes CIA CouchPotato Tool For Hacking Security Camera Video Streams
Here we go again. WikiLeaks, the international non-profit whistleblower that publishes secret information to the web, has been dumping classified documents outlining various hacking tools and malware used by the United States Central Intelligence Agency. These documents are part of what WikiLeaks calls Vault 7, the latest of which contains information on the CIA's "CouchPotato" tool.
According to WikiLeaks, CouchPotato is a remote tool for intercepting video streams as either an AVI video file or capturing still images of frames from the stream as JPEGs, presumably to save space. In the latter case, CouchPotato is able to analyze and detect when a frame of video is significantly different from the previous frame so that it only captures frames of interest.
"CouchPotato utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader." the documentation states.
Part of the documentation warns against launching the CouchPotato DLL out of a process that is critical to system stability, such as services.exe. Apparently the program is not always stable and in some cases "beyond CouchPotato's control," the DLL can exit "ungracefully." It can also leak memory and leave file handles open, all of which can reveal its presence on a target's machine.
It is not known how widely used this program might have been. The manual for version 1.0 is dated February 2014 and contains a few known issues. One of them is potentially high CPU usage. The authors note that on a Windows 7 64-bit VM that was allocated a single CPU core, the process that CouchPotato was injected to was using between 50-70 percent of the available CPU while capturing images.
According to WikiLeaks, CouchPotato is a remote tool for intercepting video streams as either an AVI video file or capturing still images of frames from the stream as JPEGs, presumably to save space. In the latter case, CouchPotato is able to analyze and detect when a frame of video is significantly different from the previous frame so that it only captures frames of interest.
"CouchPotato utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader." the documentation states.
Part of the documentation warns against launching the CouchPotato DLL out of a process that is critical to system stability, such as services.exe. Apparently the program is not always stable and in some cases "beyond CouchPotato's control," the DLL can exit "ungracefully." It can also leak memory and leave file handles open, all of which can reveal its presence on a target's machine.
It is not known how widely used this program might have been. The manual for version 1.0 is dated February 2014 and contains a few known issues. One of them is potentially high CPU usage. The authors note that on a Windows 7 64-bit VM that was allocated a single CPU core, the process that CouchPotato was injected to was using between 50-70 percent of the available CPU while capturing images.
