Skip to main content
  1. Home
  2. Computing
  3. News

Samsung Smartcam has a critical remote execution vulnerability, update coming

Critical remote execution vulnerability, firmware update coming to Samsung smartcam

By
Add as a preferred source on Google

Securing a PC is hard enough, with an entire industry of security software vendors working to make your PC safe and companies like Microsoft making security a primary focus. There are many other pieces of the technology puzzle today where security seems to be taking a back seat, and they are all connected to the same risky internet.

One of the most vulnerable members of the Internet of Things (IoT) seems to be the humble webcam, which by its very nature can open you up to privacy concerns and that can be used to host botnets for distributed denial-of-service (DDoS) attacks. Recently, one model in Samsung’s Smartcam line of webcams has been identified as having a serious vulnerability, PCWorld reports.

Recommended Videos

Samsung’s Smartcam is quite popular, offering a relatively simple device with easy setup and configuration using smartphone apps and the company’s My Smartcam cloud service. The move away from using an onboard web service for configuration was a decision made by the webcam’s original developer, Samsung Techwin, based on vulnerabilities identified in the web-based management interface.

In response, the Smartcam SNH-1011’s local web-based management portal was disabled, leaving only the apps and online service. While that was a logical response, there was only one problem with its implementation — while the administrative access was disabled, the web server was left running and actively utilized for a variety of functionality. For example, PHP scripts used in the iWatch video monitoring system were left alone.

It’s this PHP code that created the recently identified vulnerability discovered by “hacking collective” the Exploiteers. According to researchers from that organization, “The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a PHP system() call. Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.”

Samsung Smartcam iWatch Root Exploit

Samsung has reached out with a statement clarifying the situation: “It was recently discovered that the Samsung Smartcam SNH-1011 security cameras contain a code execution vulnerability that could allow hackers to gain root access and take full control of them. Upon further inspection, the web server running on this device hosted a PHP script related to a third-party service. This vulnerability only affects the SNH-1011 model and will be removed in an upcoming firmware update. As a result, we are taking every precaution to prevent additional issues with products in the SmartCam line. As a reminder, it is best practice for consumers to ensure their home networks are protected with passwords that are complex and regularly updated.”

That limits the situation a bit to only a single Smartcam model. If you’re using the SNH-1011, then you might want to turn it off until Samsung issues the promised firmware update.

This story was originally published in January 2017. Updated on 01-18-2017 by Mark Coppock: Added official Samsung statement.

Mark Coppock
Mark Coppock
Former Computing Writer
Mark Coppock is a Freelance Writer at Digital Trends covering primarily laptop and other computing technologies. He has…
Topics
ChatGPT is recommending scam websites that will steal your credit card info
The chatbot is surfacing fraudulent clones of defunct retail brands, and scammers are deliberately engineering sites to game its recommendations.
ChatGPT running on a laptop.

Scammers have found a new way to reach shoppers: getting ChatGPT to do their marketing for them. According to The Guardian, scam-checking service Ask Silver found that OpenAI's chatbot is recommending fraudulent retail websites built to harvest payment details from unsuspecting buyers. The sites mimic real storefronts and use official-looking URLs, making them difficult to spot without scrutiny.

Defunct brands are a prime target

Read more
McDonald’s new AI drive-thru has to prove it can handle hungry people
After its earlier ordering bot became a punchline, McDonald’s is testing a new system that promises fewer human handoffs.
Architecture, Building, Hotel

McDonald’s is bringing AI back to the drive-thru with a new Google-backed system called ArchIQ, also known as Archy. It’s starting in five locations under the company’s broader “> NEXT” technology push, with a franchisee claiming the system has already handled more than 1 million orders.

The bigger number is the one McDonald’s needs people to trust. About 90% of those orders reportedly needed no human intervention. That sounds promising, but this is not a clean reset. Its earlier IBM-backed AI drive-thru experiment ended after viral mistakes turned automated ordering into a public punchline.

Read more
Logitech’s Mobi Fold is a pocketable folding mouse for folks who despise trackpads
Logitech’s Mobi Fold looks like a tiny productivity taco
Logitech Mobi Fold

Laptop trackpads are fine until you get really busy. Editing a spreadsheet in an airport lounge, juggling tabs in a café, or trying to do proper work on a tiny hotel desk can make you miss the convenience of a mouse. Logitech has the answer to this with the new Mobi Fold, its first ultra-portable foldable mouse.

While a small portable mouse is something people carry, many choose to skip the added bulk, simply choosing to bite the bullet with the trackpad. But the Logitech Mobi Fold can simply fold flat, and can later be unfolded when you need to work. This makes it pretty convenient to carry. Logitech even made the mouse to automatically power on when opened and turn off when folded.

Read more