Latest in Gear

Image credit: Patrick T. Fallon / Bloomberg via Getty Images

Hackers break into Samsung Smartcam again

After publishing the first exploits at DEFCON 22, the device giant fixed all the old vulnerabilities but one.
758 Shares
Share
Tweet
Share
Save

Sponsored Links

Patrick T. Fallon / Bloomberg via Getty Images

Samsung's SmartCam has fit into users' DIY surveillance setups for years thanks to its smartphone control and local (non-cloud) storage. But at last August's DEFCON 22 security conference, members of the hacking blog Exploiteers listed exploits for the networked camera that allowed remote camera execution and let them change the administrator's password. Rather than fix it, Samsung ripped out the accessible web interface and forced users to run their SmartCams through the device giant's SmartCloud website. So, like good little hackers, Exploiteers broke into the camera again with a different exploit.

Samsung had patched the original vulnerabilities but left one set of scripts untouched: The php files which provide firmware updates via the camera's "iWatch" webcam monitoring service. Those scripts have a command injection bug allowing a user without admin privileges to allow root remote command execution. Exploiteers helpfully provided a technical writeup explaining how to do it, fix the vulnerability and even re-enable the web interface.

Update: Samsung shared the following statement in regards to the hack:

It was recently discovered that the Samsung SmartCam SNH-1011 security cameras contain a code execution vulnerability that could allow hackers to gain root access and take full control of them. Upon further inspection, the web server running on this device hosted a PHP script related to a 3rd party service. This vulnerability only affects the SNH-1011 model, and will be removed in an upcoming firmware update.
As a result, we are taking every precaution to prevent additional issues with products in the SmartCam line. As a reminder, it is best practice for consumers to ensure their home networks are protected with passwords that are complex and regularly updated.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
758 Shares
Share
Tweet
Share
Save

Popular on Engadget

'Forza Horizon 4' is getting a 72-car battle royale mode

'Forza Horizon 4' is getting a 72-car battle royale mode

View
What's coming to Netflix in January: hello 'Sabrina,' goodbye 'Friends'

What's coming to Netflix in January: hello 'Sabrina,' goodbye 'Friends'

View
The Game Awards will run a 48-hour demo 'festival'

The Game Awards will run a 48-hour demo 'festival'

View
'The Matrix 4' premieres in theaters on May 21st, 2021

'The Matrix 4' premieres in theaters on May 21st, 2021

View
Oculus is rolling out its expanded social VR features

Oculus is rolling out its expanded social VR features

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr