Slashdot Mirror
Bugs In Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com)
secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.
Amazing that Cisco Talus was not able to find 1 vulnerability in a Cisco product!!1!
(from the hacker's prayer)
Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.
And embarrassing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Samsung's security record with their smartphones is exactly why this doesn't surprise me in the least to hear about exploits in other products. I mean, I remember hearing about how ineptly their early thumbprint readers or facial recognition features were designed, or what a disaster their own OS is in technical and security terms.
My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.
Irony: Agile development has too much intertia to be abandoned now.
They patched all the products. Yes, there was a problem and it got fixed at no charge to its customers automatically.
I decided to give this stuff a try and its very convenient. I don't use it to control locks, and in fact you can't even use Alexa to control locks and garage doors because its designed so conservatively. How can "Alexa, close the garage door" be a problem?
Using a voice command to turn off all the lights is nice. Having small sensors on our keychains to turn the alarm on and off automatically is nice.
With all the furor and FUD over privacy, I think a lot of people are quick to throw the baby out with the bath water.
If you're worried about privacy, look at one of the many open source alternatives to Alexa or Google Home devices and contribute.
Greed is the root of all evil.