Multiple vulnerabilities in Samsung SmartThings Hub could have allowed attackers to remotely monitor and control Internet of Things gadgets connected to the device.
Described by Samsung as 'the brain of your smart home,' the SmartThings Hub is a single hub used to connect and control other connected devices in the home.
However, security holes in the device meant that attacks could exploit the SmartThings Hub and use it to carry out unauthorised actions, including snooping through cameras, unlocking smart locks, disabling alarms, turning off devices connected to smart plugs and more.
The 20 separate vulnerabilities were uncovered by vulnerability researchers at Cisco Talos. The vulnerabilities give different levels of access to the device and while researchers state "some of these might be hard to exploit" in the hands of a someone with the right technical knowledge, it's possible to combine them into a "significant attack".
To succeed, attackers would have to chain together a number of vulnerabilities such as remote code execution allowing arbitrary SQL queries against a database inside the device, remote information leakage via the use of creating empty file paths and injecting HTTP requests into processes.
"There is no such thing as bullet-proof software. Samsung did a lot of things right and should be commended for the way they designed their devices to be easily updated. Every piece of software from every vendor has bugs if you look closely enough," Craig Williams, Director of Cisco Talos Outreach told ZDNet.
Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17 was vulnerable to the attacks, but now Samsung has applied a patch to close the security loopholes - something Talos has praised, as the nature of the device means patches and updates are automatically applied.
"Samsung takes security very seriously and our products and services are designed with security as a priority. We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue. All active SmartThings Hub V2 devices in the market are updated to date," a Samsung spokesperson told ZDNet.
"Just like just about every other aspect of our digital lives, consumers and businesses need to do their due diligence to make sure they are buying and installing solutions that are backed by a security conscious provider. Any vendor you choose should a track record of quality solutions that are easily updated. You need to know they take security seriously," said Williams.
READ MORE ON CYBER SECURITY
- Securing the IoT: A question of checks and balances
- US-CERT issues alert for Russian attacks targeting IoT devices [TechRepublic]
- Flaw let researchers snoop on Swann smart security cameras
- IoT attacks are getting worse -- and no one's listening [CNET]
- Your forgotten IoT gadgets will leave a disastrous, toxic legacy