Security researchers have found a severe vulnerability that could allow hackers to hijack a Samsung SmartCam, according to a report.
According to researchers calling themselves the “Exploiteers,” the php files that provide firmware updates via the camera's iWatch" webcam monitoring service have a command injection bug. The bug can be remotely executed by an unprivileged user—meaning that anyone with the camera’s IP address can exploit the system.
Samsung's SmartCam was first compromised using a number of vulnerabilities by the Exploiteers at August's DEFCON 22 security conference, in a way that allowed remote camera execution and let them change the administrator's password. Samsung addressed this by removing the camera’s accessible web interface, instead shifting access to Samsung’s SmartCloud website.
However, the fact that the web server remained in place opened the door to this second exploit, which the group demonstrates in a YouTube video.
“In the case of the Samsung SmartCam, the vendor attempted to resolve past security issues within the products web server by removing the web page content, instead of the web server,” said Deral Heiland, research lead at Rapid7. “The best practice solution is, if a service is not being used, it should be disabled.”
Heiland added, “This is yet another interesting example of commonly identified web vulnerabilities being found on embedded IoT devices. Historically, we are accustomed to seeing such web vulnerabilities in e-commerce websites, and we are getting better at preventing them. Yet we quickly forget about the growing number of embedded IoT appliances that contain web servers for the purpose of management and configuration.”
The exploit comes as more and more IoT devices are enslaved to botnets like Mirai.
“As consumers, we should avoid exposing any IoT products we own directly to the internet,” Heiland said. “This will help avoid being compromised and potentially being part of the next Mirai botnet. Also, we must remember to keep our products patched with the latest firmware.”
Photo © wwwebmaster