Flaw Lets Hackers Own Samsung Smartcams With Bogus Firmware

A flaw in smart cameras sold by Samsung leaves them vulnerable to remote attack, researchers claim.

In-brief: a flaw in Samsung’s Smartcam product could allow remote attackers to take control of the devices. The news comes two years after Samsung took steps to patch other flaws in its Internet connected cameras.

Two years after security researchers demonstrated a way that remote attackers could take control of Samsung-branded smart cameras, those cameras can still be compromised, according to a blog post by the website exploitee.rs. The flaw is believed to affect all versions of Samsung’s Smartcam.

The researchers said that steps taken by Samsung to eliminate a vulnerability in the Smartcam web interface overlooked a command injection flaw in the company’s iWatch software that could allow a user to gain administrator (or “root”) privileges on a Smartcam. An attacker can trigger the flaw by hiding a malicious command in a filename which is then passed to the vulnerable camera. This is just the latest security flaw to target Internet connected surveillance cameras, a fast-growing category of connected devices in both homes and businesses.

[Read more Security Ledger coverage of security issues related to firmware here.]

Samsung  did not respond to an email request for comment from The Security Ledger.

In 2014, security researchers demonstrated a remote code execution (or RCE) vulnerability that allowed hackers to arbitrarily change the camera’s administrator password. A demonstration of that flaw at the DEFCON hacker conference promoted Samsung to disable the camera’s local web interface, preventing local management of the devices and forcing customers to use the company’s SmartCloud service to manage cameras on their home or office networks.

Samsung’s response removed the threat posed by the RCE vulnerability. However, further research on the Smartcam devices suggests the company did not remove all threats to the cameras.

Specifically: the attack demonstrated by exploitee.rs would enable either remote attackers or those on the same network as the Smartcam to seize control of the device. According to the researchers, a flaw in scripts used by the Samsung cameras to install software updates for Samsung’s iWatch firmware allows attackers to send the malicious command disguised as a software (or “firmware”) update file name. “A specially crafted requests allows an attacker the ability to inject his own command providing the attacker remote root command execution,” the researchers wrote. In short:  Samsung’s cameras will allow a user who can remotely connect to the the device to upload any file so long as it claims to be the proper file extension and has a valid MD5 hash. Alas: both those variables can be supplied by the user (or, in this scenario, the attacker).

Using that flaw and some clever work arounds for security features designed to limit what kinds of data users can send to the Smartcam, the researchers were able to concoct a file name for a bogus firmware update that, when run, opened a Telnet session with root access on the device, giving attackers total control over the camera. The vulnerability can be patched by modifying a script on the cameras to prevent execution of the malicious file name, the researchers said.

The security of smart cameras has become a prominent issue in recent months, after the emergence of the Mirai botnet, which cobbled together hundreds of thousands of vulnerable cameras, digital video recorders and other devices.  The Federal Trade Commission (FTC) has taken action against makers of vulnerable cameras, including a case filed last week against D-Link for marketing security cameras that contain exploitable vulnerabilities as “secure.”

Spread the word!