It’s (Still) Extremely Easy to Hack Samsung’s SmartCam
After the East Coast DDoS attack last year, we are finally seeing users pushing the makers of Internet-connected devices to start thinking about security too. After news from China, security researchers have now discovered Samsung's smart cameras are vulnerable to attacks too.
These vulnerabilities allow hackers to gain full control - this means hackers could get the ability to view private video feeds. This is not the first time researchers have found vulnerabilities in the Web interface used to manage Samsung smart camera. The same group has previously shown how they could abuse the interface to change the admin password.
Samsung had in response taken steps to remove access to the interface. This, however, resulted in users losing access to the Web interface. They had to use a smartphone connecting to the Samsung SmartCloud website to manage their devices. Those, who were happier with the Web-based management of their smart camera didn't, of course, like this removal of access.
Critical flaw lets hackers take control of Samsung SmartCam
"We decided to audit the device once more to see if there is a way we can give users back access to their cameras while at the same time verifying the security of the devices new firmware," the research team wrote.
While everything in the web interface has been removed by Samsung (in response to earlier vulnerability detection), the files which provide firmware update abilities for the camera through its “iWatch” web cam monitoring service were left untouched. Here are the details of the bug:
These scripts contain a command injection bug that can be leveraged for root remote command execution to an unprivileged user. The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call. Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.
Samsung has said this iWatch vulnerability only affects the SNH-1011 model and will be fixed in an upcoming update. The research team has shared a more detailed technical write-up along with a fix for the vulnerability. Using their instructions, you can actually get access to the Smartcams’s web administration panel. But, it's probably better to wait for the expected official fix. In any case, here's the video demo: