Slashdot Mirror
Bugs In Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com)
secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.
Everyone else gets sloppy seconds.
Who uses Samsung???
I still use my iPhone 6s and reduce my monthly bill from $80 to $50. As a phone and a video camera, the iPhone 6s isn't obsolete and I use it to make my videos on youtube. As a Sprint very special customer for 20+ years, Sprint will always give me a new iPhone for free if I decide to stop using the 6s as a phone in the next several years.
I have a hearing loss in one ear, so my audio will always be suspect. I use a Zoom H2 audio recorder with a pop filter 12" away from my mouth, Audacity to clean up and normalize the audio, and sync the audio to the video and apply a "voice enhancement" eq to the audio in the video editor.
My PC has an eight-core processor and a Nvidia 1050 Ti 4GB video card. A minute of 1080p video renedered on the processor takes a minute. A minute of 1080p video rendered on the Nvidia card takes 10 seconds. I don't think an iPad has the same performance of my PC for rendering videos longer than a short clip.
I can't imagine using Photoshop without a keyboard and mouse, or not being able to access my files from my file server. Video rendering on the iPad will probably suck donkey balls.
Blackmagic also charges high prices for their gear as Apple does. Need an HDMI to USB3 capture device? Blackmagic is $300. Any generic company is $50.
--
Dwayne Johnson's Rampage As A Kaiju ("Weird Beast") Monster Movie
Life is good again, and employment is up, for hackers. The primary reason to have a smartphone hub is security. If you don't have that, you might as well just let the devices talk directly to their servers as they wish.
"First they came for the slanderers and i said nothing."
Amazing that Cisco Talus was not able to find 1 vulnerability in a Cisco product!!1!
(from the hacker's prayer)
Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.
And embarrassing.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
LOL! I use to work at Samsung and we don't talk between us just like at the 3 letter agency where I work now but we don't use encryption so your argument is invalid
--
Dwayne Johnson's Rampage As A Kaiju ("Weird Beast") Monster Movie
An entity can only be tricked/subverted/exploited so many times before one has to stop calling it 'smart'.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
IMO security holes should be treated the same way as chemical spills: cleanup paid for by money placed in escrow by the ones responsible, rather than letting it become a superfund site that languishes on condemned property with a multi-billion-dollar cleanup price tag noone wants to shell out for.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Why do you think Samsung smartphone are secure? Apparently they're still not confident in keeping them from exploding.
"First they came for the slanderers and i said nothing."
I am so looking forward to the day insurance companies start inserting clauses that they won't cover smart home related cases, insisting that you have to prove your smart home devices weren't to blame for your insurance case. That's probably the only way the current idiotic trend can be averted.
I feel so sig.
Samsung's security record with their smartphones is exactly why this doesn't surprise me in the least to hear about exploits in other products. I mean, I remember hearing about how ineptly their early thumbprint readers or facial recognition features were designed, or what a disaster their own OS is in technical and security terms.
My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.
Irony: Agile development has too much intertia to be abandoned now.
Why they watchjng me
No way in hell will I set-up a Smart home !
Next up:
Shocker! Pope catholic!
This just in: Water is wet!
Fascinating nature study reveals: Bears shit in the forrest!
News brought to you by CORI - Captain Obvious Research Institute
We suffer more in our imagination than in reality. - Seneca
They patched all the products. Yes, there was a problem and it got fixed at no charge to its customers automatically.
I decided to give this stuff a try and its very convenient. I don't use it to control locks, and in fact you can't even use Alexa to control locks and garage doors because its designed so conservatively. How can "Alexa, close the garage door" be a problem?
Using a voice command to turn off all the lights is nice. Having small sensors on our keychains to turn the alarm on and off automatically is nice.
With all the furor and FUD over privacy, I think a lot of people are quick to throw the baby out with the bath water.
If you're worried about privacy, look at one of the many open source alternatives to Alexa or Google Home devices and contribute.
Greed is the root of all evil.
Samsung's security record with their smartphones is exactly why this doesn't surprise me in the least to hear about exploits in other products. I mean, I remember hearing about how ineptly their early thumbprint readers or facial recognition features were designed, or what a disaster their own OS is in technical and security terms.
My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.
The same logic should apply to Apple too, being a primarily a hardware company, but it doesn't. Apple products generally have above average security (but not excellent) and years of updates. So Samsung can evolve and improve their reputation (and bottom line) if they want to.
Comment removed based on user account deletion
Well, there could be a market for a dedicated IoT Linux distribution and licensing it, if, and only if, IoT makers wouldn't be so cheap to even ignore the GPL, let alone any other licenses that actually cost money.
The problem is that for most of these appliances, internet connectivity is an afterthought and a gadget, a sales gimmick rather than an actual functionality that they care about. It's one more tick box on that tick box lists we like so much that determine which of the two indistinguishable appliances we buy, based simply on this one having one tick box more checked than the other one. Do we need that feature? Hell, we don't even know what it means. But it's one feature more that this one has that the other one doesn't, so we buy the one with it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
(from the hacker's prayer)
Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.
And embarrassing.
Hmmmm.,
Interesting you never hear of these kinds of things with HomeKit devices...
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments?
Samsung is generally incompetent at everything, except starting fires. They're absolutely great at that.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Comment removed based on user account deletion
My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.
I think they have design process shortcomings throughout their engineering department. Their french door refrigerators leak water due to several design flaws. Their 840 EVO SSDs had design flaws that drastically slowed read speed. I know these two examples well since I own both products. Then of course there are the exploding phones.
Samsung is a no-go for me. Don't care how much cheaper their products are or how claimed performance is superior.
I never found a need in the first place for most home devices. But I also was concerned that they just added yet another device to hack. I have little trust these home device manufactures are that dedicated to a secure device. Is more about making dummy proof to setup for tech challenged buyers.
Not the worst idea so far. What you'd need for this is an internationally (or hell, at least nationally) recognized and promoted IoT security seal that shows the maker of the device has followed certain standards (that also have been tested by an independent security lab).
Yes, it ain't perfect, but it's leaps and bounds over the mess we have now. Because yes, I actually like the idea of appliances being controlled via the internet. But in their current state this is going to be a disaster. No later than when these news start to become a daily routine in the "normal" news, even tech illiterates will start to view "IoT" as a design flaw rather than a feature.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Seems like you answered your own million dollar question. The contest was rigged!!
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
To put it another way, the smart choice is to have a dumb home.
Why does my "turn off the lights" command to by bedroom digital assistant have to travel round trip to the device manufacturer's server before turning off the light in my bedroom? Sending the command directly from the assistant to the switch would be much faster, and wouldn't rely on the huge failure point of an internet connection to perform a simple task!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
That's not possible. Samsung is a company on fire, consistently coming up with the hottest products in the market, and explosive devices that no one else can match, in its hell-bent effort of singeing the competition.
https://en.wikipedia.org/wiki/The_Clapper
In other words, it doesn't.
Call me a Luddite, but I don't want to connect my house (door lock, appliances, thermostat) or car (door lock, brakes, steering) to the Internet. Too many bad things can happen - on purpose or by a software error.
Is there a Security Standard of any kind for IOT devices or is it just a free for all we'll implement whatever we want sort of thing ?
If there isn't, something along the lines of Underwriters Laboratories, designed for IOT / Consumer networked devices would be an outstanding idea.
There is no _technical_ reason to route commands through the company's server; this is done purely for vendor lock-in. The IoT vendors want to have control over your devices after you buy them! Of course, that means they can render any of your devices non-functional at any time, for any reason, including just to make you buy the newer version they are selling. Any device you buy that requires a connection to a company server, you haven't really bought anything -- you are renting time on the company server for a limited time.
I've abandoned my search for truth; now I'm just looking for some useful delusions.