Researchers have found 20 flaws in Samsung’s SmartThings Hub controller – opening up supported third-party smart home devices to attack.
Commenting on the news are the following security professionals:
Craig Young, Principal Security Researcher at Tripwire:
“For an attacker, smart home hubs are an ideal point of attack. A compromised hub can not only give a foothold into a home network and expose usernames and passwords, it can also allow an attacker to control devices and to generally spy on victims.
Depending on the types of gadgets linked to it, a smart home hub can reveal when people are home and what they are doing (or even saying) at home.
TALOS has found a wide range of vulnerabilities within the SmartThings Hub but these are not the types of issues typically used in widespread malware campaigns. Although the team did demonstrate that an attacker on the local network can achieve code execution, the bug chain is far more complex than what is commonly being exploited by IoT botnets today. It is possible however that a remote attacker could employ cross-site request forgery or DNS rebinding to remotely install a backdoor onto the SmartThings Hub.
In terms of securing IoT devices like this, I recommend segmenting networks and enabling DNS rebinding protection. This means that you should not browse the web or use smartphone applications while on the same network segment as connected devices and that public domain names cannot point back to your private network devices.”
Javvad Malik, Security Advocate at AlienVault:
“IoT devices are typically not designed with security in mind. Even IoT devices that are intended to provide security have been shown to ironically be insecure.
Ultimately, the onus is on manufacturers to ensure that the devices being sold have undergone rigorous testing, ideally by independent third parties to ensure the security of the systems.
For users of these devices, they should look for indicators that the product has some security considerations, for example, by ensuring data is collected, stored, and transmitted securely, whether there’s an easy patching process for new updates, if users are forced to change default passwords on first use, and if the devices can be easily monitored so that signs of misuse can be quickly identified.
Smart home allow attackers to gain entry into peoples innermost secrets without ever setting foot in the house, or even the neighbourhood. The attacks can range from spying on people, to planning a robbery when the house is vacant, or through other means, such as installing ransomware on critical functions, such as thermostat, lights, or locks.”
