It is a fact that users have become suspicious of Internet of Things (IoT) devices since the appearance of Mirai botnet and the subsequent DDoS attacks on high-profile companies. The latest exploit involving Samsung SmartCams further strengthens this notion that IoT devices are quite vulnerable to hacks.
Since the time Samsung’s SmartCams went on sale, they have become victims of exploitation by cyber-criminals. In the latest exploiting spree, the attackers have attempted to convey commands as the root user. In the previous such attacks, the remote command execution and modification of admin password were the primary achievements of the attackers. It must be noted that the Smartcams were developed by the former division of Samsung called Samsung Techwin now known as Hanwha Techwin. The holding stake of Samsung Techwin was sold in 2015 to the South Korea-based Hanwha Group.
In the first attack, the local web interface of the SmartCam was completely removed, due to which users could connect to the Smartcam through the SmartCloud website of Samsung. The company was hoping that this tactic would prevent other upcoming exploits. However, they didn’t remove the actual web server and only deleted the interface which was being run by the server. This paved the way the for the second wave of exploits in which commands were being issued on the Smartcam as root.
First attack demo
The attackers injected a certain file into the iWatch webcam monitoring service of the SmartCam posing as a firmware update. This allowed them to execute commands remotely as the root user since the web server runs as root.
Samsung claims that Hanwha Techwin is responsible for the SmartCams that are being sold by Samsung. It is an IP cam that lets users connect to Samsung’s dedicated range of services and view recorded events or live streaming from anywhere around the world. It also allows uninterrupted monitoring of babies or pets as well as serves as a reliable home and business security measure.
Second attack demo
The vulnerability was discovered by Exploitee.rs and the researchers stated that:
“The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a PHP system call. Because the web server runs as root, the filename is user supplied, and the input is used without sanitization, we can inject our commands within to achieve root remote command execution.”