WHISTLEBLOWING DOCUMENT FOUNDATION WikiLeaks continues to add to its growing trove of alleged CIA documents, known as Vault 7, with a user guide for a programme called CouchPotato, which is designed to capture video from IoT cameras.

Critics of WikiLeaks have said that the documents posted to Vault 7 are several years out of date, but this document is relatively recent. dating back to February 2014.

The CouchPotato project is apparently intended to target RTSP/H.264 video streams coming from networked cameras; unlike Dumbo, it doesn’t seem to require physical access to a PC.

The documents posted to WikiLeaks deal with the first version of the application, but it isn’t clear whether or not other versions exist. If they did, we imagine that they would smooth out issues like the excess CPU time consumed by CouchPotato (which would increase its risk of being detected).

The guide states: “CPU usage of the process that CouchPotato is injected into can potentially be high depending on the number CPUs/Cores available. In development and testing, it was observed that on a Windows 7 64-bit VM allocated just one CPU core, the process that CouchPotato was injected into was using between 50-70% of available CPU while capturing images of significant change. Memory usage was between 45-50MB.”

The document is also full of recommendations to ‘use wisely’, indicating that there are still bugs or other inefficiencies present.

In its own words: “CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame.

“CouchPotato utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities.

“CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.” µ



