Forgot your password?
typodupeerror
Security Encryption Enlightenment Wireless Networking

Samsung 'Smart' Camera Easily Hackable 62

Posted by Soulskill
from the for-generous-definitions-of-the-word-smart dept.
An anonymous reader writes "The op-co.de blog has a post about the incredibly poor job Samsung did securing its new NX300 'smart camera.' One of the camera's primary features is that it can join Wi-Fi networks — this lets it upload photos, but it also lets you use your smartphone to access the photos on the camera directly. You can also connect with NFC. Unfortunately, the way they set it up is extremely insecure. First, there's an NFC tag that tells the camera where to download the app, and also the name of the access point set up by the camera. 'The tag is writable, so a malicious user can easily 'hack' your camera by rewriting its tag to download some evil app, or to open nasty links in your web browser, merely by touching it with an NFC-enabled smartphone.' Things aren't much better with Wi-Fi — a simple port scan reveals that the camera is running an unprotected X server (running Enlightenment). When the camera checks for new firmware, it helpfully reports your physical location. Its software also sets up unencrypted access points."
This discussion has been archived. No new comments can be posted.

Samsung 'Smart' Camera Easily Hackable

Comments Filter:
  • by Anonymous Coward

    It doesn't matter how trivial or good the protection is, the DMCA says that because it's protected, no matter how trivially, then it's illegal to hack it!

    And because it's illegal, it's impossible to hack! Making it illegal always puts a stop to everything. That's why we have no murders, no thefts, once our brilliant politicians figure this out we can get on to business and make crime illegal too.

    Anyways, the point I'm making is this was a foreseeable consequence of the DMCA.

  • I'm Safe. (Score:4, Funny)

    by Anonymous Coward on Wednesday May 07, 2014 @04:20PM (#46943055)

    I have this camera but it can't be hacked. I live in Denver, which is in the AFC.

  • by DrXym (126579) on Wednesday May 07, 2014 @04:21PM (#46943057)
    I've never seen one of these cameras and I doubt many other people have either. Nor does it seem likely that there are hackers standing by to "touch" the powered up, wifi connected camera with an NFC phone without the owner of the camera noticing. And when all is said a relatively trivial patch would correct the issue.
    • by Jeff Flanagan (2981883) on Wednesday May 07, 2014 @04:42PM (#46943229)
      >I've never seen one of these cameras and I doubt many other people have either.
      Agreed.

      >Nor does it seem likely that there are hackers standing by to "touch" the powered up, wifi connected camera
      Agreed.

      >And when all is said a relatively trivial patch would correct the issue.
      Yes, but it should have been secure out of the box. Many manufacturers don't give a lot of thought to security, and that needs to change. If someone can own your camera over their WiFi, they can load an app that gives them access to YOUR WiFi when you get home. That's pretty serious.
      • by DrXym (126579)
        Yes it should have been secure out of the box but this really doesn't seem like a big deal either terms of liklihood of happening, or in the fix required to secure it - some kind of "do you want to remember device XYZ which is trying to talk over NFC?" dialog.
    • And when all is said a relatively trivial patch would correct the issue.

      The patch is always trivial, the ability to get it to all people that have the device nearly impossible.

      • by DrXym (126579)
        It's a wifi connected android device. Getting the patch to people is a matter of pushing an updated app or firmware next time it checks for updates.
        • It's a wifi connected android device.

          In case you had not read before, that by itself means almost nothing in regards to updates.

  • by Anonymous Coward

    Samsung just doesn't support it. You'd figure for $750 they could have at the very least secured it.

  • by Anonymous Coward

    So if I have this TV at home... all it takes is someone having to break into my home and hook up their NFC enabled smartphone to it... they have to break into my home... Good luck, most hackers don't go outside...

  • You're still supposed to make it secure!

  • Hack Off! (Score:3, Insightful)

    by Mr D from 63 (3395377) on Wednesday May 07, 2014 @04:34PM (#46943163)
    I have begun to despise the term "hacked". As anything that can be used in any manner other than its purest fundamentally intended purpose, is considered to be hackable.

    Not everything needs to be secure. My mailbox in not secure. I have photos printed at by others. When I start taking nude selfies, I'll make sure wifi is turned off.
  • by 93 Escort Wagon (326346) on Wednesday May 07, 2014 @04:54PM (#46943321)

    Wow, someone actually is still using Enlightenment...

  • Either the manufacturer produces a phone so locked down that you can only use it the way they want you to and everyone complains and RMS froths at the mouth... Or the manufacturer produces a phone full of holes and everyone complains... Only RMS is happy. RMS being unhappy is far more entertaining.

  • by mx_mx_mx (1625481) on Wednesday May 07, 2014 @04:58PM (#46943359)

    This would be pure awesomeness to show goatse on the screen of the camera to unsuspecting viewer while he aims for the shot....

    • by Type44Q (1233630)

      This would be pure awesomeness to show goatse on the screen of the camera to unsuspecting viewer while he aims for the shot....

      I'm told there are surgeons in Mexico and Brazil who can make that happen for you...

    • by phorm (591458)

      With an overlay so that you can see what's in the viewfinder through the *ahem* orifice?

  • by SirJorgelOfBorgel (897488) on Wednesday May 07, 2014 @05:15PM (#46943531)

    While this camera should of course be more secure - what exactly are we comparing it to ?

    Do you think your Canons and Nikons are safe? Lots of models allow remote control using either USB or Wi-Fi. USB requires a cable from your smartphone running the malicious software, while Wi-Fi obviously does not. For Wi-Fi you need to get past the encryption, but the joke is, lots of people actually run their camera's Wi-Fi without encryption (surprisingly, some photo blogs advise it for ease of use). You're still not home free though as there's a pairing process when Wi-Fi is used, but if the camera owner's smartphone is active on Wi-Fi (not necessarily even the same network - just turned on), this is not hard to beat either.

    If you can get connected to these cameras either via USB (completely unprotected) or Wi-Fi, it is not just possible to manipulate, retrieve, replace, wipe, etc all images present, you can fully control the camera's settings and even send malformed commands to completely disable the camera, only to be (potentially - it depends on the model) revived by a Canon/Nikon repair center. This while most users think the worst that can happen is someone copying their pictures ...

    You think the NX300 is bad? Consider that pretty much nobody owns an NX300, while virtually all photojournalists active in countries with questionable rights to free speech have one of these affected Canons and Nikons ...

    • If you can get connected to these cameras either via USB (completely unprotected) or Wi-Fi, it is not just possible to manipulate, retrieve, replace, wipe, etc all images present, you can fully control the camera's settings and even send malformed commands to completely disable the camera, only to be (potentially - it depends on the model) revived by a Canon/Nikon repair center. This while most users think the worst that can happen is someone copying their pictures ...

      And if you think that's bad, they could also connect their hammer to your phone, and send commands that will permanently disable your phone.

    • by Darinbob (1142669)

      The thing is that you can't have high security and also have high convenience. Thus consumer devices are intentionally given insecure features in order to make them more usable. Thus, drivers that automatically install on your computer merely because you plugged in your phone to power it (damn you microsoft, you are not allowed to install random files without my permission). So similarly with this camera I assume the marketing people did not want to bother the computer illiterate user with all sorts of "

      • Of course. I'm not even advocating the need for change - I'm just trying to point out that cameras like these not being very secure appears to be the rule, not the exception, though not everyone appears to be aware of this. I could see an article like this leading to talk that you shouldn't buy Samsung because it isn't secure, advising other brands instead - but those aren't necessarily any better.

    • What difference does it make when after taking the photo, you just upload it to Facebook?

    • by thegarbz (1787294)

      So what you're saying is that Nikon and Canon are as bad as Samsung, except for the lack of easy auto configuration providing this exploit, a reduced number of wireless attack vectors, and the ability to setup an encrypted connection on the camera.

      Good argument! /sarcasm

      • Good job intentionally not seeing the point just to be able to make a trollish/sarcastic remark. You must do great at parties.

  • by carrier lost (222597) on Wednesday May 07, 2014 @06:50PM (#46944315) Homepage

    ...a simple port scan reveals that the camera is running an unprotected X server (running Enlightenment).

    And here I thought I was the only one running Enlightenment

  • Remember when the 54G had craptastic insecure firmware, but interesting hardware?

    If this thing is already running linux, X, and doing opportunistic wifi, there's a bunch of projects that are calling its name.

The universe does not have laws -- it has habits, and habits can be broken.

Working...