Bugs In Samsung IoT Hub Leave Smart Home Open To Attack (threatpost.com) 44
secwatcher writes from a report via Threatpost: Cisco Talos researchers found flaws located in Samsung's centralized controller, a component that connects to an array of IoT devices around the house -- from light bulbs, thermostats, and cameras. SmartThings Hub is one of several DIY home networking devices designed to allow homeowners to remotely manage and monitor digital devices. "Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities," researchers said in a report. Threatpost goes on to detail the "multiple attack chain scenarios." Thankfully, Samsung has since patched the bugs. "We are aware of the security vulnerabilities for SmartThings Hub V2 and released a patch for automatic update to address the issue," a Samsung spokesperson told Threatpost. "All active SmartThings Hub V2 devices in the market are updated to date." The company released a firmware advisory for Hub V2 devices on July 9th.
it's a party! (Score:2)
Re: (Score:3)
Doesn't any body in the computer field really use these things? I know several "mundanes", consult your jargon file for that use in this context, that use them. They have their houses wired with alexa and the google version. But every computer "professional" that I know won't touch the things with a 3 meter pole.
My daughter wanted to put one in the family apartment. I instructed her that it might come in to conflict with rule #1. That rule being any machine that exhibits any form or self awareness wo
No vulnerabilities in Cisco products? (Score:3, Insightful)
Re: No vulnerabilities in Cisco products? (Score:2)
...and give us this day our daily IoT exploit... (Score:5, Insightful)
(from the hacker's prayer)
Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.
And embarrassing.
Re: (Score:3)
IMO security holes should be treated the same way as chemical spills: cleanup paid for by money placed in escrow by the ones responsible, rather than letting it become a superfund site that languishes on condemned property with a multi-billion-dollar cleanup price tag noone wants to shell out for.
Re: ...and give us this day our daily IoT exploit. (Score:2)
Re:...and give us this day our daily IoT exploit.. (Score:4, Insightful)
Samsung's security record with their smartphones is exactly why this doesn't surprise me in the least to hear about exploits in other products. I mean, I remember hearing about how ineptly their early thumbprint readers or facial recognition features were designed, or what a disaster their own OS is in technical and security terms.
My overall impression has been that, like many hardware-focused companies, they're simply terrible at creating high-quality software. I have a suspicion that's because the departments who create the hardware are considered their A-team and money-makers. On the other hand, software is just... necessary overhead - and should be finished as quickly and cheaply as possible to get the hardware working.
Re: (Score:2)
Re: (Score:2)
Well, there could be a market for a dedicated IoT Linux distribution and licensing it, if, and only if, IoT makers wouldn't be so cheap to even ignore the GPL, let alone any other licenses that actually cost money.
The problem is that for most of these appliances, internet connectivity is an afterthought and a gadget, a sales gimmick rather than an actual functionality that they care about. It's one more tick box on that tick box lists we like so much that determine which of the two indistinguishable applian
Re: (Score:2)
Re: (Score:2)
Not the worst idea so far. What you'd need for this is an internationally (or hell, at least nationally) recognized and promoted IoT security seal that shows the maker of the device has followed certain standards (that also have been tested by an independent security lab).
Yes, it ain't perfect, but it's leaps and bounds over the mess we have now. Because yes, I actually like the idea of appliances being controlled via the internet. But in their current state this is going to be a disaster. No later than whe
Re: (Score:2)
Seems like you answered your own million dollar question. The contest was rigged!!
Re: (Score:2)
(from the hacker's prayer)
Quite frankly, why? You know, I can see it with the makers of hardware that have no history with security or internet connectivity. I don't even wonder anymore why huge security holes gap in internet connected fridges and dishwashers, simply because the makers of such appliances never had to deal with anything like this and are, essentially, at a security level we were 25 years ago.
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments? I don't even expect different departments of huge corporations to work together anymore, but this is ridiculous.
And embarrassing.
Hmmmm.,
Interesting you never hear of these kinds of things with HomeKit devices...
Re: (Score:1)
But SAMSUNG? C'mon, folks, you have the people over in the smartphone branch, is it really that impossible to at least look over the fence to the other departments?
Samsung is generally incompetent at everything, except starting fires. They're absolutely great at that.
Still Smart? (Score:5, Interesting)
An entity can only be tricked/subverted/exploited so many times before one has to stop calling it 'smart'.
Re: (Score:2)
The Day Smart Home Dies (Score:4, Interesting)
I am so looking forward to the day insurance companies start inserting clauses that they won't cover smart home related cases, insisting that you have to prove your smart home devices weren't to blame for your insurance case. That's probably the only way the current idiotic trend can be averted.
NEWSFLASH! IoT fad a super-unsafe thing! (Score:2)
Next up:
Shocker! Pope catholic!
This just in: Water is wet!
Fascinating nature study reveals: Bears shit in the forrest!
News brought to you by CORI - Captain Obvious Research Institute
Sensational news misses the point (Score:5, Insightful)
I decided to give this stuff a try and its very convenient. I don't use it to control locks, and in fact you can't even use Alexa to control locks and garage doors because its designed so conservatively. How can "Alexa, close the garage door" be a problem?
Using a voice command to turn off all the lights is nice. Having small sensors on our keychains to turn the alarm on and off automatically is nice.
With all the furor and FUD over privacy, I think a lot of people are quick to throw the baby out with the bath water.
If you're worried about privacy, look at one of the many open source alternatives to Alexa or Google Home devices and contribute.
Re: (Score:2)
The Smart Choice (Score:2)
Centralized control of IoT has always bothered me (Score:2)
Re: (Score:2)
Bugs in Samsung? (Score:2)
Silly question but (Score:2)
Is there a Security Standard of any kind for IOT devices or is it just a free for all we'll implement whatever we want sort of thing ?
If there isn't, something along the lines of Underwriters Laboratories, designed for IOT / Consumer networked devices would be an outstanding idea.