Researchers at Cisco Talos recently spent some time probing the Samsung SmartThings Hub, a device designed to be the center of your smart home. They discovered a number of vulnerabilities that allow remote information leakage up to arbitrary remote code execution. The device is designed to communicate with a range of devices over Ethernet, Z-Wave, Bluetooth, and Zigbee. These devices could be smart locks, IP cameras, alarm systems, thermostats and more.
The researchers found a total of 20 vulnerabilities in the hub. They noted that while each of the vulnerabilities by themselves might not have a great impact on the security of the device, in many cases the vulnerabilities can be chained together to form a complete exploit. Three vulnerability chains were identified that allows an attacker to have complete control over the device.
The first chain allows for remote code execution on the hub. By using a vulnerability that allows for the execution of arbitrary SQL queries an attacker would be able to trigger a different vulnerability that allows for memory corruption. Specially crafted queries would allow the attacker to execute arbitrary code via this attack vector. The second chain allows the attacker to get a glance inside the ‘hubCore’ process of the device, leaking sensitive information. This is accomplished via a vulnerability that allows an empty file to be created anywhere on the device. While at first glance this vulnerability doesn’t seem impactful, the researchers learned that creating this empty file in a specific location causes the ‘hubCore’ process to crash and create a memory dump.
The third vulnerability in this chain allows for the capture of this information over the network. The last of the 3 chains allows for remote code execution with no prior authentication. This chain relies on sending specially crafted queries to the ‘video-core’ process running on the device. A vulnerability in the HTTP pipeline allows the requests to reach the vulnerable service with an arbitrary payload that triggers a buffer overflow, allowing for remote code execution. While the third exploit chain requires no authentication, the first two have varying requirements depending on a number of factors. In some cases anyone holding a valid OAuth bearer token can talk to the remote servers in order to trigger some of the vulnerabilities. Malicious apps designed for the hub can also be used to trigger the exploits.
Cisco Talos reported all the found vulnerabilities to Samsung. Samsung responded by fixing the bugs and pushing a firmware update to all connected SmartThings Hubs. While the hubs are designed to update automatically, it is always a good idea to verify the firmware version currently running and update manually if necessary.