Vault 7: CouchPotato – WikiLeaks dumps info on another CIA hacking tool

Published on: 11th August 2017

WikiLeaks has leaked the user guide for CouchPotato, another CIA tool part of the notorious Vault 7 dump, which allows CIA operatives to capture remote video streams in RTSP and H.264 formats, used by IP surveillance cameras. The tool uses FFmpeg software, normally used to store multimedia data, and targets Windows-operating devices.

“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader,” announced WikiLeaks.

Dating from February 2014, the user guide warns that, when collecting a video, an expiration time should be set for the tool to exit, because it “can leak memory and also leave file handles open.” The guide doesn’t elaborate on how CouchPotato is planted into the infrastructure, so it may require other tools to work.

The CPU usage is quite high when CouchPotato is injected, approximately between 50 and 70 percent, according to the guide.

“CPU usage of the process that CouchPotato is injected into can potentially be high depending on the number CPUs/Cores available. In development and testing, it was observed that on a Windows 7 64-bit VM allocated just one CPU core, the process that CouchPotato was injected into was using between 50-70% of available CPU while capturing images of significant change. Memory usage was between 45-50MB,” says the guide.

Until today, WikiLeaks has published information and user guides for 20 hacking tools.