Researchers at Cisco's security arm Talos have discovered a total of twenty vulnerabilities in Samsung's SmartThings controller. The flaws could enable hackers to gain information about a user, monitor and control devices within the home, or otherwise perform unauthorised activities.
In a blog post, researchers said that smart locks controlled by the SmartThings Hub could be unlocked, allowing for physical access to the home, cameras deployed within the home could be used to remotely monitor occupants, and motion detectors used by the home alarm system could be disabled.
The flaws are in the Smart Things’ central controller which uses Linux-based firmware and communicates to other devices using wireless standards such as Zigbee, Z-Wave and Bluetooth. It also supports several third-party products, such as Philips Hue lighting.
To exploit the vulnerabilities requires chaining the flaws together. "In isolation, some of these might be hard to exploit, but together they can be combined into a significant attack on the device," said researchers.
"Given that these devices can be deployed in many different scenarios, the impact of a successful attack against them could be severe."
One attack uses a remote code execution (RCE) vulnerability that can be exploited without prior authentication. The other two attacks require a hacker to gain prior authentication. Another attack enables a hacker to execute SQL queries against a database inside the device. A third attack chain can trigger an information leak that can be captured from the network.
Researchers noted that since the report of the issue, Samsung has pushed updates out to devices automatically and manual intervention will not be required by users.
Javvad Malik, security advocate at AlienVault, told SC Media UK that IoT devices are typically not designed with security in mind. Even IoT devices that are intended to provide security have been shown to ironically be insecure.
"Ultimately, the onus is on manufacturers to ensure that the devices being sold have undergone rigorous testing, ideally by independent third parties to ensure the security of the systems," he said.
"For users of these devices, they should look for indicators that the product has some security considerations, for example, by ensuring data is collected, stored, and transmitted securely, whether there's an easy patching process for new updates, if users are forced to change default passwords on first use, and if the devices can be easily monitored so that signs of misuse can be quickly identified."
Paul Ducklin, senior technologist at Sophos, told SC Media UK that if criminals can reach out from the other side of the world with an automated script and hack into home networks then you can be sure they will.
"Remember that some of the data they'll probably acquire - network traffic, for example, screenshots, passwords, personal preferences - is ripe for further abuse right away by those same crooks. But even if they end up with data that's only indirectly useful for future criminality - inside pictures of your door and window locks, information about the hours you keep and when you are on vacation, and so on - then there's nothing to stop them selling that data on to crooks closer to your home," he said.