Samsung SmartThings Hub, a central hub that connects different smart home devices together, was found to contain 20 separate vulnerabilities by cybersecurity researchers at Cisco’s Talos.
“In total, Talos found 20 vulnerabilities in the Samsung SmartThings Hub. These vulnerabilities vary in the level of access required by an attacker to exploit them and the level of access they give an attacker. In isolation, some of these might be hard to exploit, but together they can be combined into a significant attack on the device,” said the researchers at Cisco’s Talos.
Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17 was pointed out to be vulnerable to attacks.
Samsung’s SmartThings Hub supports multiple connection standards such as Zigbee, Z-Wave and Bluetooth. When anyone can exploit the weaknesses and take over the control, all connected devices could be taken over and the home will be set in danger. For instance, a smart lock at the front door could be unlocked, a security camera and motion detectors could be disabled, and devices connected to smart plugs could be turned off.
To exploit these vulnerabilities and intrude a smart home successfully, attackers will need to bring together vulnerabilities, such as remote code execution allowing arbitrary SQL queries against a database of the device, remote information leakage from creating empty file paths, and injecting HTTP requests into processes.
Samsung has released an over-the-air (OTA) software and firmware update to fix these 20 vulnerabilities. The SmartThings Hub should be automatically updated to improve its security.
Homeowners can also check their SmartThings Hub’s firmware version in the mobile app or the SmartThings web console.
“Samsung did a lot of things right and should be commended for the way they designed their devices to be easily updated. Every piece of software from every vendor has bugs if you look closely enough,” said Craig Williams, director of Cisco Talos Outreach, to ZDNet.