As Samsung and Swann IoT apps breached, when will we confront our security flaws?

On Thursday, security flaws were revealed within the firmware of Samsung‘s SmartThings Hub. Cisco Talos issued a blog on multiple vulnerabilities. As Jeremy Cowan reports, this is not the only IoT security flaw exposed recently. No surprise then, that enterprises are getting twitchy about the security of their future IIoT services.

Talos finds Samsung Smart Things vulnerability

Cisco Talos has been working with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers.

The hub is a central controller that allows smartphone-equipped users to monitor and manage various Internet of Things (IoT)-enabled household electronics. These include: light bulbs; heating, ventilation & air-conditioning (HVAC) systems; door locks, and so on. These vulnerabilities could allow an attacker to execute operating system (OS) commands or other arbitrary code on affected devices.

The firmware running on the SmartThings Hub is Linux-based and allows for communications with IoT devices using a variety of different technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth.

The flaw has been disclosed to Samsung who now have a fix available, but the vulnerabilities are said by a Cisco Talos spokesperson to be “quite severe”.

Given that these devices often gather sensitive information, the vulnerabilities discovered could enable an attacker to monitor and control devices within the home or business, or to perform unauthorised activities. For example:

  • Smart locks controlled by the SmartThings Hub could be unlocked, allowing for physical access to the home.
  • Cameras deployed within the home could be used to remotely monitor occupants.
  • Motion detectors used by the intruder alarm system could be disabled.
  • Smart plugs could be controlled to turn off or on important systems that may be connected.
  • Thermostats could be controlled by unauthorised attackers.
  • Attackers could also cause physical damage to appliances or other devices that may be connected to smart plugs deployed within a smart building.

Swann’s home security cameras hijacked

At the same time last week, news was breaking that Swann’s security cameras could easily be hijacked and their video and audio feeds accessed. The popular brand of wireless security camera — designed to safeguard businesses and homes — was, in fact, vulnerable to a spying hack.

The flaw meant it was possible to access video and audio streamed from other people’s properties by making a minor change to Swann Security‘s app. Researchers found the problem after the BBC reported a case where one customer had received another’s recordings.

Responding to the new findings, Swann has told the BBC that the problem was confined to one model, the SWWHD-Intcam, also known as the Swann Smart Security Camera.

Commenting on this, Adam Brown, manager of security solutions at California-based Synopsys, an application security testing company, tells IoT Now: “I personally have experience with Swann cameras – I used to have one, albeit different from the one in the report. I found that the camera feed itself could be accessed directly from the network the camera was on, and there was some access control over that video feed – a hardcoded password, as I remember – this is bad practice.

“If that camera was placed directly on the internet (not behind a firewall) then prying eyes could potentially see what my camera could see. Obvious lax security controls indicate systemic failings. Without speculating on the technicalities of what went wrong here, I would surmise that the software security initiative at Swann is either lacking or could benefit from some deliberate improvement driven from management. The camera market is catching up in cybersecurity. Leading Chinese manufacturers are integrating privacy and security into their cameras and infrastructure. Privacy and security are going to be vital for the camera industry, itself placed as a security solution,” Brown adds.

Security is No.1 concern in IIoT

So, is it any wonder that security is the biggest concern for businesses considering their future in industrial Internet of Things (IIoT)? We’ve asked it before, but what kind of humsn disaster (and damaging headlines) will it take before device OEMs start to take security seriously?

According to the 2018 SANS Institute Industrial IoT Security Survey Report, security is the biggest worry when it comes to Industrial Internet of Things.

Dean Ferrando, Tripwire: “The expansion of connected devices comes with risk.

Dean Ferrando, systems engineer manager at Tripwire comments: “The expansion of connected devices and technology comes with risk. The development and deployment of an Industrial Internet of Things brings safety to the top of that risk assessment. This is partly down to IoT manufacturers shipping devices with little or no security, so it is critical for product developers to thoroughly examine the technology in the devices and guarantee that security is being programmed at the software stage to remove any flaws.

“When connected devices can make material changes in the physical world, life and safety become especially relevant to cybersecurity. This is why security within critical infrastructure must be addressed at the highest level. Thankfully, as new devices and issues arise, there is an abundance of defence mechanisms and technologies to choose from,” Ferrando concludes. “If industrial organisations are to avoid being hit by a cyberattack, implementing a security hygiene strategy that incorporates educating the workforce alongside investing in the right technology needs to be in place.”

The author of this article is
Jeremy Cowan (pictured left),
editorial director of IoT Now
and VanillaPlus.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

 

RECENT ARTICLES

Aeris to acquire IoT business from Ericsson

Posted on: December 8, 2022

Ericsson and Aeris Communications, a provider of Internet of Things (IoT) solutions based in San Jose, California, have signed an agreement for the transfer of Ericsson’s IoT Accelerator and Connected Vehicle Cloud businesses.

Read more

Telenor IoT passes milestone of 20mn SIM cards

Posted on: December 8, 2022

Telenor, the global IoT provider and telecom operator, has experienced rapid growth over the last years and ranks among the top 3 IoT operators in Europe and among the top IoT operators in the world. The positive development is due to an accelerated pace of new customers combined with a successful growth of existing customers’

Read more
FEATURED IoT STORIES

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

Talking Heads: The M2M Doctor is in the House

Posted on: December 26, 2013

Mobile health is M2M at its most rewarding. So says, Dan MacDuffie CEO of Wyless (left). And he should know, his managed services company has achieved 50% yearon- year growth recently and a growing portion of that is in mHealth and Wellness services. He’s certain we’re standing on the threshold of a new generation of health services that cut delivery costs, extend the reach

Read more

Talking Heads: mHealth gains ground as one-stop shops and M2M with ‘wired safety net’ bring efficient patient monitoring

Posted on: December 23, 2013

For years analysts have touted mobile healthcare as a huge opportunity for those offering machine-to-machine communication (M2M) services. Truth be told, the progress so far has been patchy, at best. So M2M Now asked Alexander Bufalino, SEVP Global Marketing at Telit, to describe the hurdles in the way of M2M mHealth, how they are now being overcome and what

Read more

Unlocking the total value of M2M

Posted on: December 19, 2013

Do you ever wonder why people and organisations invest in machine-to-machine communications (M2M) and the Internet of Things (IoT), asks Fred Yentz? Reasons may differ somewhat across industry segments but in most cases they fall in one or more of three categories: To make money, to save money or to be compliant. ILS Technology is squarely focused on helping

Read more

Paving the way to the Internet of Things

Posted on: December 17, 2013

Combining the ARM computing engine with location-awareness and wireless connectivity It’s set to be the Perfect Storm: The rapid growth of high-speed cellular networks and the introduction of IP version 6 which has enough IP addresses for every grain of sand on Earth. Add to this mix the proliferation of the ARM embedded computing architecture, now the de facto global

Read more

What’s the ‘real deal’ on the Internet of Things?

Posted on: December 16, 2013

The ‘Internet of Things’ buzzword appears to have picked up steam during the past several months as large players such as GE and Cisco have touted their stories on the growing number of connected devices. But, as Alex Brisbourne of KORE asks, how different, if at all, is the Internet of Things when compared with other connected device markets,

Read more

M2M Now Magazine December 2013 Edition

Posted on: December 5, 2013

M2M Now magazine explores the evolving opportunities and challenges facing CSPs across this sector. Our exclusive interviews pass on some key lessons learned by those who have taken the first steps in next gen Machine to Machine (M2M) services. In the latest issue: TALKING HEADS: Alexander Bufalino of Telit tells how one-stop shops and M2M with a ‘wired

Read more