At least one type of Samsung SmartCam cameras can be taken over by remote attackers who just need to know the vulnerable camera’s IP address.
The remote code execution vulnerability that can be exploited to perform the attack was discovered by hackers from the Exploitee.rs team, and the attack demontrated in this video:
Years ago, the same group flagged an attack method that allowed remote attackers to abuse the camera’s web interface to change the administrator password, thus allowing them to take control of the camera. At the time, Samsung reacted by removing access to the interface (built into the devices) and forcing camera owners to manage the device via the Samsung SmartCloud website – a move that angered some users.
“We decided to audit the device once more to see if there is a way we can give users back access to their cameras while at the same time verifying the security of the devices new firmware,” the researchers noted.
So they probed the web interface, and found backend scripts that the company failed to remove. Unfortunately for Samsung and its cameras’ users, the scripts in question have a command injection bug that can be easily triggered.
“The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call. Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution,” they explained.
More technical details about the vulnerability and POC code can be found here.
The researchers successfully tested the attack against the SNH-1011 Samsung SmartCam, but it’s possible other types of Samsung cameras are vulnerable as well.