Latest in Gear

Image credit: Patrick T. Fallon / Bloomberg via Getty Images

Hackers break into Samsung Smartcam again

After publishing the first exploits at DEFCON 22, the device giant fixed all the old vulnerabilities but one.
758 Shares
Share
Tweet
Share
Save

Sponsored Links

Patrick T. Fallon / Bloomberg via Getty Images

Samsung's SmartCam has fit into users' DIY surveillance setups for years thanks to its smartphone control and local (non-cloud) storage. But at last August's DEFCON 22 security conference, members of the hacking blog Exploiteers listed exploits for the networked camera that allowed remote camera execution and let them change the administrator's password. Rather than fix it, Samsung ripped out the accessible web interface and forced users to run their SmartCams through the device giant's SmartCloud website. So, like good little hackers, Exploiteers broke into the camera again with a different exploit.

Samsung had patched the original vulnerabilities but left one set of scripts untouched: The php files which provide firmware updates via the camera's "iWatch" webcam monitoring service. Those scripts have a command injection bug allowing a user without admin privileges to allow root remote command execution. Exploiteers helpfully provided a technical writeup explaining how to do it, fix the vulnerability and even re-enable the web interface.

Update: Samsung shared the following statement in regards to the hack:

It was recently discovered that the Samsung SmartCam SNH-1011 security cameras contain a code execution vulnerability that could allow hackers to gain root access and take full control of them. Upon further inspection, the web server running on this device hosted a PHP script related to a 3rd party service. This vulnerability only affects the SNH-1011 model, and will be removed in an upcoming firmware update.
As a result, we are taking every precaution to prevent additional issues with products in the SmartCam line. As a reminder, it is best practice for consumers to ensure their home networks are protected with passwords that are complex and regularly updated.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
758 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
B&H sale cuts up to $350 off Apple's 2019 iMacs

B&H sale cuts up to $350 off Apple's 2019 iMacs

View
NVIDIA's latest GPU drivers pack a speed boost for 'Apex Legends'

NVIDIA's latest GPU drivers pack a speed boost for 'Apex Legends'

View
The latest 'Fortnite' weapon lets you drop heavy stuff on opponents’ heads

The latest 'Fortnite' weapon lets you drop heavy stuff on opponents’ heads

View
ThinkPad X1 Carbon review (2019): Sometimes it’s good to be boring

ThinkPad X1 Carbon review (2019): Sometimes it’s good to be boring

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr