Multiple vulnerabilities in Samsung’s SmartThings Hub

Security intelligence firm Cisco Talos have discovered 20 vulnerabilities in Samsung’s SmartThings Hub. These vulnerabilities could have allowed an attacker to execute OS commands or other arbitrary code on affected devices.

Despite Talos admitting in its report that some of these vulnerabilities would have been difficult to exploit in isolation, attackers could have potentially combined several at once to launch a “significant attack on the device”.

>See also: Smart homes increased to 30.3M in 2016

Cisco Talos has since worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers.

Craig Young, principal security researcher at Tripwire: “For an attacker, smart home hubs are an ideal point of attack. A compromised hub can not only give a foothold into a home network and expose usernames and passwords, it can also allow an attacker to control devices and to generally spy on victims.”

>See also: Can smart home devices and technology keep people safe?

“Depending on the types of gadgets linked to it, a smart home hub can reveal when people are home and what they are doing (or even saying) at home.”

“Talos has found a wide range of vulnerabilities within the SmartThings Hub but these are not the types of issues typically used in widespread malware campaigns. Although the team did demonstrate that an attacker on the local network can achieve code execution, the bug chain is far more complex than what is commonly being exploited by IoT botnets today. It is possible however that a remote attacker could employ cross-site request forgery or DNS rebinding to remotely install a backdoor into the SmartThings Hub.”

>See also: Smart business models for the connected home

“In terms of securing IoT devices like this, I recommend segmenting networks and enabling DNS rebinding protection. This means that you should not browse the web or use smartphone applications while on the same network segment as connected devices and that public domain names cannot point back to your private network devices.”

>Read more on cyber vulnerabilities and what can be done about them

Nominations are now open for the Women in IT Awards Ireland and Women in IT Awards Silicon Valley. Nominate yourself, a colleague or someone in your network now! The Women in IT Awards Series – organised by Information Age – aims to tackle this issue and redress the gender imbalance, by showcasing the achievements of women in the sector and identifying new role models

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Smart Home Technology