Hanwha’s SmartCam cameras are affected by more than a dozen vulnerabilities, including critical flaws that can be exploited remotely to take control of devices.
The impacted cameras are widely used for surveillance and monitoring. They can record at high resolutions, they have night vision capabilities and motion sensors, and they allow their users to talk to the person being monitored via a built-in speaker. The product can be controlled remotely from any type of device and all the recorded video is stored in the cloud.
Samsung Electronics sold its Samsung Techwin security division to South Korean conglomerate Hanwha Group in 2014. However, Hanwha’s SmartCam products are still branded “Samsung.”
Researchers have analyzed these devices and discovered a significant number of flaws. The issues were disclosed last week by Vladimir Dashchenko, senior security researcher at Kaspersky Lab, at the company’s Security Analyst Summit (SAS) in Cancun. The security firm also published a blog post on Monday describing the findings.
The vulnerabilities can be exploited for intercepting traffic due to the use of HTTP for firmware updates and interaction with the camera, manipulating the web-based user interface, remote code execution with root privileges, denial-of-service (DoS) attacks, brute-force attacks on the admin account, and bypassing authentication.
Experts have identified roughly 2,000 IP addresses associated with cameras exposed to the Internet, but they believe the actual number of vulnerable devices is much higher considering that the flaws can be exploited even against devices that are not directly accessible from the Web due to weaknesses in the SmartCam cloud infrastructure.
One of the flaws found by Kaspersky can be exploited to register cameras that have yet to be registered. This not only prevents legitimate owners from registering and using their cameras, but also allows hackers to take control of the cameras they have registered.
Due to vulnerabilities in the cloud infrastructure, an attacker could have spoofed the update server in an effort to push malicious firmware to a device. Modified firmware can provide privileged access to the targeted camera, serving as an entry point to the rest of the network housing the device, experts say.
Researchers also discovered that a hacker can easily clone a camera in an effort to spoof its video feed.
“The attacker then resets the password using a vulnerability in the password generation algorithm and modifies the firmware of the cloned camera (which is an identical camera located on the attacker’s side). The victim’s camera is then remotely disabled. As a result, the victim will receive a video signal from the attacker’s cloned camera,” Kaspersky researchers explained.
The setup process for the cameras also involves providing credentials for social media and other online services for sending notifications to the user, which can be abused by cybercriminals for phishing and spam campaigns.
Dashchenko told SecurityWeek that remote attacks against these cameras are a multi-stage process that starts with identifying the targeted device’s serial number and MAC address. The serial number can be obtained by either guessing or brute-forcing it.
Large-scale attacks are also possible with the use of scripts and automation mechanisms, Dashchenko said.
Kaspersky’s ICS-CERT team has conducted its research on Hanwha SNH-V6410PN/PNW SmartCam devices, but the same firmware is used for multiple camera models — different features in the firmware are active depending on the model — which means many of the company’s products are likely affected by these vulnerabilities.
The vendor patched many of the vulnerabilities shortly after being notified and Kaspersky has only disclosed the details of the flaws that have been fixed.