Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugs In Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com)

Posted by BeauHD on from the time-to-update dept.

secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.

44 comments

  1. it's a party! by phantomfive · · Score: 1

    Life is good again, and employment is up, for hackers. The primary reason to have a smartphone hub is security. If you don't have that, you might as well just let the devices talk directly to their servers as they wish.

    --
    "First they came for the slanderers and i said nothing."
    1. Re: it's a party! by Anonymous Coward · · Score: 0

      Dude, no code is perfect. It's how you handle the bugs that matters.

      In this case, not only did they listen to the researchers, they patched it quickly, and in fact they patched all of them in the entire world. This isn't your typical internet of shit company.

      Samsungs behavior in this case was an example others should follow. Try to be decent about the fact that humans make mistakes sometimes, as long as they handle correcting them properly.

    2. Re:it's a party! by jwhyche · · Score: 2

      Doesn't any body in the computer field really use these things? I know several "mundanes", consult your jargon file for that use in this context, that use them. They have their houses wired with alexa and the google version. But every computer "professional" that I know won't touch the things with a 3 meter pole.

      My daughter wanted to put one in the family apartment. I instructed her that it might come in to conflict with rule #1. That rule being any machine that exhibits any form or self awareness would be dispatched with base ball bat.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
  2. No vulnerabilities in Cisco products? by thesjaakspoiler · · Score: 3, Insightful

    Amazing that Cisco Talus was not able to find 1 vulnerability in a Cisco product!!1!

    1. Re: No vulnerabilities in Cisco products? by phantomfive · · Score: 1

      All he had to do to exploit the Cisco product was type the default password. Cisco always falls for that one.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:No vulnerabilities in Cisco products? by Anonymous Coward · · Score: 0

      Then of course you'd think that, you were told it every day.

  3. ...and give us this day our daily IoT exploit... by Opportunist · · Score: 4, Insightful

    (from the hacker's prayer)

    Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.

    But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.

    And embarrassing.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Samsung??? by Anonymous Coward · · Score: 0

    LOL, Apple. No thanks; I'm fine with people making assumptions about my wealth. I don't need to waste it on an expensive phone to prove anything because I'm not a sucker of Satan's cock. Peace out, mic-drop, SAD!

  5. Still Smart? by mentil · · Score: 4, Interesting

    An entity can only be tricked/subverted/exploited so many times before one has to stop calling it 'smart'.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re: Still Smart? by Anonymous Coward · · Score: 0

      There is a different between being smart and being intelligent. You're describing loss of the later.

    2. Re:Still Smart? by LordHighExecutioner · · Score: 1

      About being "smart"... here in our country highways are pestered with Smart(TM) cars, usually driven badly. We usually say that "smart" refers to the box, not to what is inside. Probably the same holds for smart homes...

  6. Re:...and give us this day our daily IoT exploit.. by mentil · · Score: 2

    IMO security holes should be treated the same way as chemical spills: cleanup paid for by money placed in escrow by the ones responsible, rather than letting it become a superfund site that languishes on condemned property with a multi-billion-dollar cleanup price tag noone wants to shell out for.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  7. Re: ...and give us this day our daily IoT exploit. by phantomfive · · Score: 1

    Why do you think Samsung smartphone are secure? Apparently they're still not confident in keeping them from exploding.

    --
    "First they came for the slanderers and i said nothing."
  8. The Day Smart Home Dies by bankman · · Score: 3, Interesting

    I am so looking forward to the day insurance companies start inserting clauses that they won't cover smart home related cases, insisting that you have to prove your smart home devices weren't to blame for your insurance case. That's probably the only way the current idiotic trend can be averted.

    --
    I feel so sig.
    1. Re:The Day Smart Home Dies by Anonymous Coward · · Score: 0

      You're cute.

      Insurance companies are already requiring smart "trackers" be installed in vehicles in certain cases. A coworker just switched insurance, and they want a tracker installed that reports back to them any time she accelerates too quickly or stops too suddenly. More than a few instances a month and her rates will go up.

      I would guess we're only a few years away from home insurance requiring spying devices installed in the home so that they can precisely monitor how you caused whatever accident leads to actually needing to use the insurance, so they can deny the claim.

      No company in the world wants less smart devices. No government in the world does either. They want everything completely and utterly wired so they can monitor the population more closely, and monetize every single aspect of life down to "hold your fridge door open too long, fined for energy consumption beyond necessity."

  9. Re:...and give us this day our daily IoT exploit.. by Dutch+Gun · · Score: 3, Insightful

    Samsung's security record with their smartphones is exactly why this doesn't surprise me in the least to hear about exploits in other products. I mean, I remember hearing about how ineptly their early thumbprint readers or facial recognition features were designed, or what a disaster their own OS is in technical and security terms.

    My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  10. HACKERS DEMON by Anonymous Coward · · Score: 0

    Why they watchjng me

  11. No to Smart home by Anonymous Coward · · Score: 0

    No way in hell will I set-up a Smart home !

  12. NEWSFLASH! IoT fad a super-unsafe thing! by Qbertino · · Score: 1

    Next up:

    Shocker! Pope catholic!
    This just in: Water is wet!
    Fascinating nature study reveals: Bears shit in the forrest!

    News brought to you by CORI - Captain Obvious Research Institute

    --
    We suffer more in our imagination than in reality. - Seneca
  13. Sensational news misses the point by TomGreenhaw · · Score: 4, Insightful

    They patched all the products. Yes, there was a problem and it got fixed at no charge to its customers automatically.

    I decided to give this stuff a try and its very convenient. I don't use it to control locks, and in fact you can't even use Alexa to control locks and garage doors because its designed so conservatively. How can "Alexa, close the garage door" be a problem?

    Using a voice command to turn off all the lights is nice. Having small sensors on our keychains to turn the alarm on and off automatically is nice.

    With all the furor and FUD over privacy, I think a lot of people are quick to throw the baby out with the bath water.

    If you're worried about privacy, look at one of the many open source alternatives to Alexa or Google Home devices and contribute.

    --
    Greed is the root of all evil.
    1. Re:Sensational news misses the point by locopuyo · · Score: 1

      The same people poo pooing iot are the same people that poo pooed smartphones when they were new. Once it becomes more mainstream they'll realize all of the conveniences they're missing out on and get it too.

      --
      The Official Site of 1337 Pwnage
  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. Re:...and give us this day our daily IoT exploit.. by Opportunist · · Score: 1

    Well, there could be a market for a dedicated IoT Linux distribution and licensing it, if, and only if, IoT makers wouldn't be so cheap to even ignore the GPL, let alone any other licenses that actually cost money.

    The problem is that for most of these appliances, internet connectivity is an afterthought and a gadget, a sales gimmick rather than an actual functionality that they care about. It's one more tick box on that tick box lists we like so much that determine which of the two indistinguishable appliances we buy, based simply on this one having one tick box more checked than the other one. Do we need that feature? Hell, we don't even know what it means. But it's one feature more that this one has that the other one doesn't, so we buy the one with it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. Re:...and give us this day our daily IoT exploit.. by TheFakeTimCook · · Score: 1

    (from the hacker's prayer)

    Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.

    But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.

    And embarrassing.

    Hmmmm.,

    Interesting you never hear of these kinds of things with HomeKit devices...

  17. Re:...and give us this day our daily IoT exploit.. by drinkypoo · · Score: 0

    But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments?

    Samsung is generally incompetent at everything, except starting fires. They're absolutely great at that.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  18. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  19. Re:...and give us this day our daily IoT exploit.. by Anonymous Coward · · Score: 0

    My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.

    I think they have design process shortcomings throughout their engineering department. Their french door refrigerators leak water due to several design flaws. Their 840 EVO SSDs had design flaws that drastically slowed read speed. I know these two examples well since I own both products. Then of course there are the exploding phones.

    Samsung is a no-go for me. Don't care how much cheaper their products are or how claimed performance is superior.

  20. This is why I won't buy into home devices by Anonymous Coward · · Score: 0

    I never found a need in the first place for most home devices. But I also was concerned that they just added yet another device to hack. I have little trust these home device manufactures are that dedicated to a secure device. Is more about making dummy proof to setup for tech challenged buyers.

  21. Re:...and give us this day our daily IoT exploit.. by Opportunist · · Score: 1

    Not the worst idea so far. What you'd need for this is an internationally (or hell, at least nationally) recognized and promoted IoT security seal that shows the maker of the device has followed certain standards (that also have been tested by an independent security lab).

    Yes, it ain't perfect, but it's leaps and bounds over the mess we have now. Because yes, I actually like the idea of appliances being controlled via the internet. But in their current state this is going to be a disaster. No later than when these news start to become a daily routine in the "normal" news, even tech illiterates will start to view "IoT" as a design flaw rather than a feature.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  22. Re:...and give us this day our daily IoT exploit.. by Sloppy · · Score: 1

    Seems like you answered your own million dollar question. The contest was rigged!!

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  23. The Smart Choice by techdolphin · · Score: 1

    To put it another way, the smart choice is to have a dumb home.

  24. Centralized control of IoT has always bothered me by Locke2005 · · Score: 1

    Why does my "turn off the lights" command to by bedroom digital assistant have to travel round trip to the device manufacturer's server before turning off the light in my bedroom? Sending the command directly from the assistant to the switch would be much faster, and wouldn't rely on the huge failure point of an internet connection to perform a simple task!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  25. Bugs in Samsung? by OneHundredAndTen · · Score: 1

    That's not possible. Samsung is a company on fire, consistently coming up with the hottest products in the market, and explosive devices that no one else can match, in its hell-bent effort of singeing the competition.

  26. Re:Centralized control of IoT has always bothered by Anonymous Coward · · Score: 0

    https://en.wikipedia.org/wiki/The_Clapper

    In other words, it doesn't.

  27. External control by Anonymous Coward · · Score: 0

    Call me a Luddite, but I don't want to connect my house (door lock, appliances, thermostat) or car (door lock, brakes, steering) to the Internet. Too many bad things can happen - on purpose or by a software error.

  28. Silly question but by nehumanuscrede · · Score: 1

    Is there a Security Standard of any kind for IOT devices or is it just a free for all we'll implement whatever we want sort of thing ?

    If there isn't, something along the lines of Underwriters Laboratories, designed for IOT / Consumer networked devices would be an outstanding idea.

  29. Re: Samsung??? by Anonymous Coward · · Score: 0

    Wow what a Trump fuck.

    Anyone who ends with "SAD" need to improve their vocabulary.

  30. Re: Samsung??? by Anonymous Coward · · Score: 0

    No fan of Apple, but whoever still buying Samsung are real dumb fucks.

    Have fun burning your face off when it explodes. Go make Michael Bay proud!

  31. Re:Centralized control of IoT has always bothered by Locke2005 · · Score: 1

    There is no _technical_ reason to route commands through the company's server; this is done purely for vendor lock-in. The IoT vendors want to have control over your devices after you buy them! Of course, that means they can render any of your devices non-functional at any time, for any reason, including just to make you buy the newer version they are selling. Any device you buy that requires a connection to a company server, you haven't really bought anything -- you are renting time on the company server for a limited time.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.