Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Privacy Security Television Technology

Bugs In Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com) 44

secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.
This discussion has been archived. No new comments can be posted.

Bugs In Samsung IoT Hub Leave Smart Home Open To Attack

Comments Filter:
  • Life is good again, and employment is up, for hackers. The primary reason to have a smartphone hub is security. If you don't have that, you might as well just let the devices talk directly to their servers as they wish.
    • by jwhyche ( 6192 )

      Doesn't any body in the computer field really use these things? I know several "mundanes", consult your jargon file for that use in this context, that use them. They have their houses wired with alexa and the google version. But every computer "professional" that I know won't touch the things with a 3 meter pole.

      My daughter wanted to put one in the family apartment. I instructed her that it might come in to conflict with rule #1. That rule being any machine that exhibits any form or self awareness wo

  • by thesjaakspoiler ( 4782965 ) on Friday July 27, 2018 @02:14AM (#57017612)
    Amazing that Cisco Talus was not able to find 1 vulnerability in a Cisco product!!1!
  • by Opportunist ( 166417 ) on Friday July 27, 2018 @02:25AM (#57017624)

    (from the hacker's prayer)

    Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.

    But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.

    And embarrassing.

    • by mentil ( 1748130 )

      IMO security holes should be treated the same way as chemical spills: cleanup paid for by money placed in escrow by the ones responsible, rather than letting it become a superfund site that languishes on condemned property with a multi-billion-dollar cleanup price tag noone wants to shell out for.

    • Why do you think Samsung smartphone are secure? Apparently they're still not confident in keeping them from exploding.
    • by Dutch Gun ( 899105 ) on Friday July 27, 2018 @04:46AM (#57017888)

      Samsung's security record with their smartphones is exactly why this doesn't surprise me in the least to hear about exploits in other products. I mean, I remember hearing about how ineptly their early thumbprint readers or facial recognition features were designed, or what a disaster their own OS is in technical and security terms.

      My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.

    • Comment removed based on user account deletion
      • Well, there could be a market for a dedicated IoT Linux distribution and licensing it, if, and only if, IoT makers wouldn't be so cheap to even ignore the GPL, let alone any other licenses that actually cost money.

        The problem is that for most of these appliances, internet connectivity is an afterthought and a gadget, a sales gimmick rather than an actual functionality that they care about. It's one more tick box on that tick box lists we like so much that determine which of the two indistinguishable applian

        • Comment removed based on user account deletion
          • Not the worst idea so far. What you'd need for this is an internationally (or hell, at least nationally) recognized and promoted IoT security seal that shows the maker of the device has followed certain standards (that also have been tested by an independent security lab).

            Yes, it ain't perfect, but it's leaps and bounds over the mess we have now. Because yes, I actually like the idea of appliances being controlled via the internet. But in their current state this is going to be a disaster. No later than whe

      • by Sloppy ( 14984 )

        Seems like you answered your own million dollar question. The contest was rigged!!

    • (from the hacker's prayer)

      Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.

      But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.

      And embarrassing.

      Hmmmm.,

      Interesting you never hear of these kinds of things with HomeKit devices...

    • But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments?

      Samsung is generally incompetent at everything, except starting fires. They're absolutely great at that.

  • Still Smart? (Score:5, Interesting)

    by mentil ( 1748130 ) on Friday July 27, 2018 @02:54AM (#57017676)

    An entity can only be tricked/subverted/exploited so many times before one has to stop calling it 'smart'.

    • About being "smart"... here in our country highways are pestered with Smart(TM) cars, usually driven badly. We usually say that "smart" refers to the box, not to what is inside. Probably the same holds for smart homes...
  • by bankman ( 136859 ) on Friday July 27, 2018 @04:45AM (#57017886) Homepage

    I am so looking forward to the day insurance companies start inserting clauses that they won't cover smart home related cases, insisting that you have to prove your smart home devices weren't to blame for your insurance case. That's probably the only way the current idiotic trend can be averted.

  • Next up:

    Shocker! Pope catholic!
    This just in: Water is wet!
    Fascinating nature study reveals: Bears shit in the forrest!

    News brought to you by CORI - Captain Obvious Research Institute

  • by TomGreenhaw ( 929233 ) on Friday July 27, 2018 @08:18AM (#57018404)
    They patched all the products. Yes, there was a problem and it got fixed at no charge to its customers automatically.

    I decided to give this stuff a try and its very convenient. I don't use it to control locks, and in fact you can't even use Alexa to control locks and garage doors because its designed so conservatively. How can "Alexa, close the garage door" be a problem?

    Using a voice command to turn off all the lights is nice. Having small sensors on our keychains to turn the alarm on and off automatically is nice.

    With all the furor and FUD over privacy, I think a lot of people are quick to throw the baby out with the bath water.

    If you're worried about privacy, look at one of the many open source alternatives to Alexa or Google Home devices and contribute.
    • The same people poo pooing iot are the same people that poo pooed smartphones when they were new. Once it becomes more mainstream they'll realize all of the conveniences they're missing out on and get it too.
  • To put it another way, the smart choice is to have a dumb home.
  • Why does my "turn off the lights" command to by bedroom digital assistant have to travel round trip to the device manufacturer's server before turning off the light in my bedroom? Sending the command directly from the assistant to the switch would be much faster, and wouldn't rely on the huge failure point of an internet connection to perform a simple task!
  • That's not possible. Samsung is a company on fire, consistently coming up with the hottest products in the market, and explosive devices that no one else can match, in its hell-bent effort of singeing the competition.
  • Is there a Security Standard of any kind for IOT devices or is it just a free for all we'll implement whatever we want sort of thing ?

    If there isn't, something along the lines of Underwriters Laboratories, designed for IOT / Consumer networked devices would be an outstanding idea.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...