One of the most vulnerable members of the Internet of Things (IoT) seems to be the humble webcam, which by its very nature can open you up to privacy concerns and that can be used to host botnets for distributed denial-of-service (DDoS) attacks. Recently, one model in Samsung’s Smartcam line of webcams has been identified as having a serious vulnerability, PCWorld reports.
Samsung’s Smartcam is quite popular, offering a relatively simple device with easy setup and configuration using smartphone apps and the company’s My Smartcam cloud service. The move away from using an onboard web service for configuration was a decision made by the webcam’s original developer, Samsung Techwin, based on vulnerabilities identified in the web-based management interface.
In response, the Smartcam SNH-1011’s local web-based management portal was disabled, leaving only the apps and online service. While that was a logical response, there was only one problem with its implementation — while the administrative access was disabled, the web server was left running and actively utilized for a variety of functionality. For example, PHP scripts used in the iWatch video monitoring system were left alone.
It’s this PHP code that created the recently identified vulnerability discovered by “hacking collective” the Exploiteers. According to researchers from that organization, “The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a PHP system() call. Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.”
Samsung has reached out with a statement clarifying the situation: “It was recently discovered that the Samsung Smartcam SNH-1011 security cameras contain a code execution vulnerability that could allow hackers to gain root access and take full control of them. Upon further inspection, the web server running on this device hosted a PHP script related to a third-party service. This vulnerability only affects the SNH-1011 model and will be removed in an upcoming firmware update. As a result, we are taking every precaution to prevent additional issues with products in the SmartCam line. As a reminder, it is best practice for consumers to ensure their home networks are protected with passwords that are complex and regularly updated.”
That limits the situation a bit to only a single Smartcam model. If you’re using the SNH-1011, then you might want to turn it off until Samsung issues the promised firmware update.
This story was originally published in January 2017. Updated on 01-18-2017 by Mark Coppock: Added official Samsung statement.
