There is more alarming security news for consumers with smart devices at home: hackers can take remote control of video cameras, thermostats, smart locks or other IoT devices by exploiting vulnerabilities discovered in Samsung’s SmartThings Hub, according to a report by Cisco Systems’ Talos research group.
Cisco Talos researchers Claudio Bozzato discovered 20 vulnerabilities in the firmware of the Samsung SmartThings hub, which acts as a central command center for monitoring and managing various IoT devices in a smart home–from smart plugs to LED lightbulbs to appliances. Users connect to the hub to remotely manage and communicate with these devices from a smartphone.
While the vulnerabilities vary in the access a hacker needs to exploit them, the sheer number of holes creates the possibility that hackers can “chain together” vulnerabilities present in the device to gain complete control, Cisco Talos threat researchers Edmund Brumaghin wrote in a blog post outlining the technical aspects of the flaws.
Researchers have since worked with Samsung to issue a firmware update to patch the vulnerabilities. The firmware is Linux-based and allows for communications with IoT devices using wireless technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth. However, if unchecked, they could wreak havoc on someone’s smart-home system, Brumaghin warned.
[You might also like: Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug]
“Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities,” he wrote.
Brumaghin outlined a number of dire scenarios of what hackers could do with the flaw, from nuisances such as turning on or off things connected to smart plugs controlled by the hub, to something as serious as compromising the security of a home by disabling a home alarm system’s motion detectors or even gaining access to a home by unlocking a smart door lock.
Chains of attack
Researchers identified three potential vulnerability chains that hackers could string together to attack home devices connected to the SmartThings Hub.
One is remote code execution, TALOS-2018-0556, that describes a post-auth vulnerability allowing for the execution of arbitrary SQL queries against a database inside the device. When used alone, only the whole database can be altered. However, four exploits–TALOS-2018-0557, TALOS-2018-0576, TALOS-2018-0581 and TALOS-2018-0583–describe a set of memory-corruption vulnerabilities allowing for executing arbitrary code if an attacker is capable of issuing arbitrary SQL queries. If used with these, then a hacker can achieve code execution from the network, according to the post.
[You might also like: Opinion: With Internet of Things, Devices become Insider Threat]
Another chain of vulnerabilities allows for remote information leakage. Again using TALOS-2018-0556, someone can create an empty file anywhere inside the device. As described in another exploit–TALOS-2018-0593–the existence of an empty file at path “/hub/data/hubcore/stZigbee” will cause the “hubCore” process to crash. When this crashes, it can trigger an an information leak that can be captured from the network, according to exploit TALOS-2018-0594.
“Thus, by chaining these these vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub,” Brumaghin wrote.
A third vulnerability chain for attacking the SmartThings Hub is a pre-auth remote code execution, TALOS-2018-0578, that involves an exploit that permits injecting semi-controlled HTTP requests to the internal “video-core” process–from the network and without prior authentication. These injected requests alone are not completely controllable; however, chaining exploits TALOS-2018-0578 with TALOS-2018-0577 can further refine the injected HTTP request, according to the post.
If an attack wants to go even further, using TALOS-2018-0577 in the chain also can modify the method, path, and body components of an HTTP request by exploiting a bug while handling HTTP pipe-lining, and linking TALOS-2018-0573 can serve to exploit a buffer overflow on the stack by sending a local HTTP request to the “video-core” process, according to the blog post.
“By chaining these three vulnerabilities together, an attacker can compromise the device remotely without prior authentication,” Brumaghin wrote, adding that other similar vulnerabilities could be used as the last element of the chain, though they might be more complex to implement.
Remedy and protection
As previously mentioned, a firmware update already is available for Samsung SmartThings Hub customers to repair the vulnerabilities.
Additionally, Cisco Talos researchers advise those using devices such as the hub to ensure that they are configured securely, and updated as quickly as possible when new firmware is available.
“Given that these devices can be deployed in many different scenarios, the impact of a successful attack against them could be severe,” Brumaghin wrote.
Samsung pushes updates out to its devices automatically, so in this case customers don’t need to do anything special to protect themselves. However, Cisco Talos recommends users verify that the updated version has actually been applied to devices to ensure that they are no longer vulnerable.
For more information about the vulnerabilities and their potential impact, Samsung has posted an advisory on its SmartThings page, along with the firmware update.