Researchers have discovered that the popular Samsung SmartCam cameras contain a critical and easy-to-use flaw, allowing hackers to gain full control of the smart home devices. This is not the first time that researchers have found issues with the product, with Samsung previously releasing patches but it appears the problem still remains. Cesare Garlati, Chief Security Strategist at the prpl Foundation commented below.
Cesare Garlati, Chief Security Strategist at the prpl Foundation:
“The Samsung SmartCam security failures are typical of ones that we see time and again in IoT; namely a lack of knowledge or expertise when it comes to embedded connected devices. This was demonstrated by the fact that these SmartCams were designed with an embedded web server that had been disabled, yet the actual service behind it was still running – and its tcp port left open. In addition, the service itself was allowed to run in root mode, which defies the security controls built in by Linux that would make sure it is not possible to attack one service to control the entire system/device. This should have been picked up in the testing phase of development, but again, clearly that is another area that was overlooked. To help IoT developers, prpl has put together a free Security Guidance for Critical Areas of Embedded Computing document that details how developers can achieve security by separation through hardware virtualisation that would have ensured the flaw (and resulting damage) would have been contained. It would also prevent attackers from exploiting devices using DDoS, as witnessed in the Mirai botnet debacle.”