Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.
The SmartThings Hub is a central controller that monitors and manages various IoT devices such as smart plugs, LED light bulbs, thermostats, cameras, and more that would typically be deployed in a smart home.
The SmartThings Hub functions as a centralised controller for these devices and allows users to remotely connect to and manage these devices using a smartphone. The firmware running on the SmartThings Hub is Linux-based and allows for communications with IoT devices using a variety of different technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth.
Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorised activities, according to Talos.
"We're often asked, 'Why would cybercriminals bother to attack 'smart homes'?', as though the average household contained nothing of value," said Paul Ducklin, Senior Technologist at Sophos.
"That's the wrong question. You should be asking, 'Why wouldn't they?’"
Criminals can hack into home networks to steal network traffic, screen shots, passwords, software configuration details and more from anywhere in the world. They can also access inside pictures of door and window locks, information about the hours users keep and when they are on vacation. While this may not be directly useful to them, they are then able to sell this information to criminals closer to home.
Attackers could also unlock Smart Locks controlled by the SmartThings Hub, disable motion sensors, turn off smart plugs, use cameras within the home to remotely monitor occupants or cause physical adamance to appliances connected to smart plugs within the home.
In total, Talos found 20 vulnerabilities in the Samsung SmartThings Hub.
“If you have a SmartThings hub,” said Ducklin, “get it patched right now. That’s your immediate response if you're an early adopter. If you aren't an early adopter, and you want a more secure Internet of Things five or ten years from now, don't buy into the Internet of Things trend just because it sounds cool. Vote with your chequebook, your credit card, your NFC payments app, your Bitcoin wallet - don't rush out and buy so-called 'smart' kit because it's trendy.”
“Shop around, research the vendor, ask on security forums, and join the whole 'smart home' revolution with your own eyes open, not the eyes of some woefully insecure connected camera. Make 'smart device' vendors earn your cybersecurity trust - don't let them buy it with groovy marketing campaigns,” added Ducklin.
Cisco Talos has worked with Samsung to ensure that any issues have been resolved and that a firmware update has been made available for affected customers.