Cisco’s cybersecurity arm Cisco Talos has discovered a number of vulnerabilities in the firmware of Samsung’s SmartThings Hub.
The device is designed to be controlled using a smartphone app, giving the owner oversight of all connected devices in the home, meaning that any security flaw could have serious consequences.
Cisco Talos’ Claudio Bozzato found that the SmartThings Hub was severely compromised.
Major vulnerabilities
Bozzato discovered firmware vulnerabilities that made it possible for an attacker to take control of the Hub and, by extension, access sensitive information, monitor and control devices within the home, and perform other unauthorised activities – with potentially devastating consequences.
The seriousness of the flaw would, in some senses, depend on how many smart devices the homeowner had connected to the device. For example, Cisco Telos found that using the exploit, smart locks under the control of the SmartThings Hub could be unlocked, literally opening the front door to an attacker. Security systems could also be disabled, including motion sensors and smoke detectors.
From a privacy standpoint, the vulnerability also allowed an attacker to take control of cameras within the home and remotely monitor its occupants.
Cisco Talos discovered a total of 20 vulnerabilities affecting the SmartThings Hub. While they vary in terms of severity and “in isolation, some might be hard to exploit… together they can be combined into a significant attack on the device,” Talos wrote in a blog on the subject.
As is standard procedure in these scenarios, Cisco Talos has alerted Samsung to the issues and worked with the South Korean company to ensure they are being resolved.
A firmware update has been made available, with both companies recommending that owners should update their devices as soon as possible.
“While devices such as the SmartThings Hub are typically deployed to provide additional convenience and automation to users, special consideration must be made to ensure that they are configured securely, and updated when new firmware updates are made available by the manufacturer,” wrote the cybersecurity company.
“Given that these devices can be deployed in many different scenarios, the impact of a successful attack against them could be severe.”
Internet of Business says
Cisco Talos’ discovery is the latest in a line of recent security flaws discovered in connected home products.
Earlier this year it was revealed that Google’s smart home devices leak precise location data. Amazon’s Alexa-powered smart speakers were also found to have serious privacy flaws.
Much recent talk about IoT security vulnerabilities has placed the blame on end users for not changing default passwords, but the latest revelations about Samsung’s smart home products suggest that manufacturers need to do much more to protect devices themselves.
Indeed, in some cases, manufacturers may be part of the security problem. As Internet of Business noted recently, the UK’s Consumers Association published a report earlier this year saying that corporate surveillance of smart home customers had reached “staggering” levels.