Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

CIA’s “CouchPotato” Collects Video Streams

WikiLeaks has published documents that describe a remote tool allegedly used by the U.S. Central Intelligence Agency (CIA) to collect RTSP/H.264 video streams.

WikiLeaks has published documents that describe a remote tool allegedly used by the U.S. Central Intelligence Agency (CIA) to collect RTSP/H.264 video streams.

Dubbed “CouchPotato,” the tool can apparently be used to collect the stream as a video file (AVI), or to capture still images (JPG) of frames from the stream, as long as these frames are “of significant change from a previously captured frame.”

To perform the video and image encoding and decoding operations, the tool leverages the free software project FFmpeg. However, many audio and video codecs, along with unnecessary features, have been removed from the FFmpeg version used by CouchPotato.

To provide the tool with image change detection features, the pHash image hashing algorithm has been integrated into FFmpeg’s image2 demuxer. CouchPotato also uses RTSP connectivity and “relies on being launched in an ICE v3 Fire and Collect compatible loader,” the tool’s user guide published on WikiLeaks reveals (PDF).

Thus, the use of this tool requires a loader that can support the ICE v3 specification (Fire and Collect are mentioned as suitable options, along with ShellTerm, which was used to test CouchPotato during development). Python 2 is required by the module handler script, which should also be run on a *nix host, the same host the loader runs onto.

To avoid being blocked by a firewall when sending or receiving data, CouchPotato should be injected into a non-critical host process on the target machine, the documents explained. The user manual specifically recommends not to launch out of a process critical to the system’s stability. The tool can be operated using a command-line interface.

Targeting RTSP and H.264 video formats, which are normally used by IP-based surveillance cameras streaming video content over LAN or the Internet, CouchPotato requires the video stream URL to function and doesn’t necessarily require compromising the target’s network.

The user guide published on WikiLeaks includes details on the various arguments the tools comes with support for, along with the various limitations and caveats the tool inherits, such as high CPU usage for the injected process.

Related: WikiLeaks Details CIA’s Air-Gapped Network Hacking Tool

Related: CIA Tool ‘Pandemic’ Replaces Legitimate Files With Malware

Related: WikiLeaks Details Malware Made by CIA and U.S. Security Firm

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...


Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...