Samsung “Smart” Camera Is Ridiculously Hackable

Image courtesy of Eric Hauser

A security camera in your house, that you can access remotely, might seem like a good idea at first. You can log into it from anywhere, to see what’s going on and if it really was the cat who opened your kitchen cabinets every day last week. But the problem with a thing you can access remotely is that a sufficiently determined bad actor can, too. And sometimes it doesn’t even take much determination to do.

The latest company to find its products are astonishingly vulnerable? According to a report from Ars Technica, that’d be Samsung, which is continuing to have a bad year in basically every way.

The explanation of how is a little on the tech-heavy side. Basically, the researchers explain, the devices have a web interface built into them. That web interface was discovered to be easily hackable a few years ago, so Samsung pulled it down. Users who own the cameras now have to use the more-secure Samsung SmartCloud website to access them.

But the ability to reach the original web interface is still on the cameras themselves, and that’s how the hacking team got access to the device they were testing. Using that access, they were then able to access and modify the code that lets the camera update its firmware. Once they’re able to access that code, they can do basically anything they want with it.

It’s a complicated chain to follow for most folks, but for tech experts and hackers, it’s an incredibly straightforward thing to do. The long and the short of it is, any Samsung camera with this security flaw is vulnerable to having malicious code remotely executed on it.

The researchers confirmed that they have definitely been able to do this on a SmartCam SNH-1011 model Samsung camera — but also, as Ars points out, say that it is likely that other product models in the same line share the flaw.

Web-connected cameras are, in general, one of the most consistently, disastrously insecure product types on the market today.

Back in 2014, for example, we saw one site aggregate feeds from thousands of cameras around the world that were not secured and easily accessible. Then in 2015, researchers said it takes a handful of minutes to hack into most “smart” home security devices, including cameras.

In the sears since, we’ve only seen internet-connected devices proliferate — which means bad security is proliferating right along with. Not only are all those insecure devices leaving users vulnerable to having their privacy intruded upon and possibly their data compromised, but also the devices themselves are increasingly becoming criminal botnets that, for example, can be used to large-scale attacks on internet hosts.

In fact, a wide-scale attack that took down DNS host Dyn, and many of its clients (like Reddit, Twitter, Spotify, and others), in October has been explicitly linked to insecure webcams made in China and since recalled.

The problem is so large and difficult that the FTC recently announced a competition and $25,000 prize to anyone who actually invents a tool that home consumers can use to protect themselves from vulnerabilities in their smart stuff.

In the meantime, this particular Samsung camera issue is tricky. The researchers who discovered and publicized the flaw have also released a homebrew patch — but that’s not a sustainable long-term solution for all users, nor is installing untested third-party software necessarily going to be a popular act even for the folks who do know how.