WikiLeaks reveals Dumbo: CIA tools for weaponising webcams and corrupting video recordings

More embarrassment for US law enforcement and security services as information about another hacking tool is leaked online

Dumbo, a suite of CIA tools that can identify, control and manipulate monitoring and detection systems on a target computer running Windows, has been revealed by WikiLeaks.

The tools have been used by the CIA's Physical Access Group (PAG), a branch within the Centre for Cyber Intelligence (CCI). As the name indicates, it's for field operations in which the CIA feels it needs to gain physical access to PCs in order to compromise them and spy on their targets.

"Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks," claims WikiLeaks.

It continues: "All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

"Dumbo is run by the field agent directly from a USB stick; it requires administrator privileges to perform its task. It supports 32-bit Windows XP, Windows Vista, and newer versions of the Windows operating system. [However] 64-bit Windows XP, or Windows versions prior to XP are not supported."

It's not known what role the malware has played in CIA investigations, and whether evidence gleaned from the tool has been used in court.

In addition to the brief explanation, WikiLeaks has also a series of Dumbo user guides, as well as the field guide. A CIA presentation dated June 2012 has also been published. (PDF)

"Dumbo is designed as a PAG [physical access group] entry-operation utility that targets webcams and other monitoring software. PAG requests this capability to deter home security systems that may identify officers or prevent operations," the presentation explains.

It continues: "Dumbo is designed to be configured with a set of processes, installed and run from a thumb drive [USB stick] and exits upon removal of the drive."

Dumbo, it continues "will immediately terminate all configured processes, and disabable all NICs [network interface cards] for the duration of the operation… On removal of the drive running Dumbo, all NICs will restart and terminated processes will be able to restart".

The tool is configurable from the command line, dropping output files directly to the USB stick. However, any programs not on the ‘termination list' can start-up the webcam and record will the USB stick is plugged-in, "however, no data will be exfiltrated [by the webcam] since the NIC will be disabled".

The exposure of Dumbo is just the latest in a series of embarrassing leaks that reveal the depth and extent of US security and law-enforcement agencies' hacking tools.

Indeed, the WannaCry ransomware and NotPetya malware released in May and June respectively deployed leaked US National Security Agency exploits that took advantage of what were then unpatched security flaws to propagate.

An analysis of NotPetya ramsonware, though, indicated that the exploit had been incorporated into the malware before it had been made publicly available, raising questions over the provenance of NotPetya and who, or what groups, might have been behind it.

Computing's DevOps Summit returns on 19 September. Attendance is free to qualifying IT leaders and other senior IT professionals, but places will go fast, so secure yours now.