Skip to main content

Samsung Smartcam has a critical remote execution vulnerability, update coming

Critical remote execution vulnerability, firmware update coming to Samsung smartcam

samsung smartcam has remote execution vulnerability snh 1011n 2 100704208 large
Image used with permission by copyright holder
Securing a PC is hard enough, with an entire industry of security software vendors working to make your PC safe and companies like Microsoft making security a primary focus. There are many other pieces of the technology puzzle today where security seems to be taking a back seat, and they are all connected to the same risky internet.

One of the most vulnerable members of the Internet of Things (IoT) seems to be the humble webcam, which by its very nature can open you up to privacy concerns and that can be used to host botnets for distributed denial-of-service (DDoS) attacks. Recently, one model in Samsung’s Smartcam line of webcams has been identified as having a serious vulnerability, PCWorld reports.

Samsung’s Smartcam is quite popular, offering a relatively simple device with easy setup and configuration using smartphone apps and the company’s My Smartcam cloud service. The move away from using an onboard web service for configuration was a decision made by the webcam’s original developer, Samsung Techwin, based on vulnerabilities identified in the web-based management interface.

In response, the Smartcam SNH-1011’s local web-based management portal was disabled, leaving only the apps and online service. While that was a logical response, there was only one problem with its implementation — while the administrative access was disabled, the web server was left running and actively utilized for a variety of functionality. For example, PHP scripts used in the iWatch video monitoring system were left alone.

It’s this PHP code that created the recently identified vulnerability discovered by “hacking collective” the Exploiteers. According to researchers from that organization, “The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a PHP system() call. Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.”

Samsung Smartcam iWatch Root Exploit

Samsung has reached out with a statement clarifying the situation: “It was recently discovered that the Samsung Smartcam SNH-1011 security cameras contain a code execution vulnerability that could allow hackers to gain root access and take full control of them. Upon further inspection, the web server running on this device hosted a PHP script related to a third-party service. This vulnerability only affects the SNH-1011 model and will be removed in an upcoming firmware update. As a result, we are taking every precaution to prevent additional issues with products in the SmartCam line. As a reminder, it is best practice for consumers to ensure their home networks are protected with passwords that are complex and regularly updated.”

That limits the situation a bit to only a single Smartcam model. If you’re using the SNH-1011, then you might want to turn it off until Samsung issues the promised firmware update.

This story was originally published in January 2017. Updated on 01-18-2017 by Mark Coppock: Added official Samsung statement.

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more