Web-connected cameras can be great security and monitoring tools that can keep your home safe. With a smartphone or a computer, these cameras allow you to view their live feeds over the internet, essential for home security, surveillance or for keeping an eye on children or pets.
But as we approach this age of these Internet of Things hacks, what if these webcams, that are supposed to make you feel safe and secure, are full of security holes themselves? What if someone can turn these cameras against you, and in turn, invade your own privacy?
This is exactly what was found with this popular line of web-connected cameras yet again.
A vulnerability was recently discovered that puts Samsung SmartCams at serious risk. The bug can allow a hacker to remotely control these cameras and even change their login credentials with mere knowledge of their IP addresses.
The security team the Exploitee.rs, credited for discovering the flaw, states that the vulnerability lies in the camera’s web server code that attackers can exploit and inject their own commands at the root level.
The team says they tested the bug successfully on a Samsung SmartCam SNH-1011 but it is “believed to affect the entire Samsung SmartCam series of devices.”
This is not the first time the Exploitee.rs have notified Samsung of exploits for this line of webcams.
Last August, the team found a similar set of bugs that allowed unauthorized access via the devices’ web interface. Instead of fixing the problem, Samsung disabled the said web interface and made the cameras accessible only through its cloud-based “SmartCloud” portal.
According to the Exploitee.rs, it angered users because disabling the native web interface prevented the camera from being used in custom monitoring situations. This prompted the team to re-audit the device to check if there’s a way to give back local access and at the same time, verify the security of the new firmware.
The team found that because of “improper sanitization of the iWatch firmware update filename,” another exploit was opened that could allow an unauthorized user to execute remote commands as a root user. This means that when Samsung patched the first issue, the code was not properly “cleaned up” and it left one of the scripts untouched.
For its part, Samsung issued a statement that the bug only affects the SNH-1011 model and a firmware update will be pushed out soon to patch the issue.
In the meantime, if you own any of these Samsung SmartCams, please check out Exploitee.rs post detailing the technicalities of the exploit, which also includes an unofficial DIY fix for the problem and even a hack for restoring the web interface.