CIA's “CouchPotato” Collects Video Streams

WikiLeaks has published documents that describe a remote tool allegedly used by the U.S. Central Intelligence Agency (CIA) to collect RTSP/H.264 video streams.

Dubbed “CouchPotato,” the tool can apparently be used to collect the stream as a video file (AVI), or to capture still images (JPG) of frames from the stream, as long as these frames are “of significant change from a previously captured frame.”

To perform the video and image encoding and decoding operations, the tool leverages the free software project FFmpeg. However, many audio and video codecs, along with unnecessary features, have been removed from the FFmpeg version used by CouchPotato.

To provide the tool with image change detection features, the pHash image hashing algorithm has been integrated into FFmpeg’s image2 demuxer. CouchPotato also uses RTSP connectivity and “relies on being launched in an ICE v3 Fire and Collect compatible loader,” the tool’s user guide published on WikiLeaks reveals (PDF).

Thus, the use of this tool requires a loader that can support the ICE v3 specification (Fire and Collect are mentioned as suitable options, along with ShellTerm, which was used to test CouchPotato during development). Python 2 is required by the module handler script, which should also be run on a *nix host, the same host the loader runs onto.

To avoid being blocked by a firewall when sending or receiving data, CouchPotato should be injected into a non-critical host process on the target machine, the documents explained. The user manual specifically recommends not to launch out of a process critical to the system’s stability. The tool can be operated using a command-line interface.

Targeting RTSP and H.264 video formats, which are normally used by IP-based surveillance cameras streaming video content over LAN or the Internet, CouchPotato requires the video stream URL to function and doesn’t necessarily require compromising the target’s network.

The user guide published on WikiLeaks includes details on the various arguments the tools comes with support for, along with the various limitations and caveats the tool inherits, such as high CPU usage for the injected process.

Related: WikiLeaks Details CIA’s Air-Gapped Network Hacking Tool

Related: CIA Tool ‘Pandemic’ Replaces Legitimate Files With Malware

Related: WikiLeaks Details Malware Made by CIA and U.S. Security Firm

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: