13 Vulnerabilities in Hanwha SmartCams Demonstrate Risks of Feature Complexity

The researchers at Kaspersky Lab ICS CERT decided to check the popular Hanwha SmartCams and discovered 13 vulnerabilities.

Wikipedia describes Attack Surface, as “[the] sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment.”

Basically, the more points there are to compromise a system, the more likely the system will be compromised. In the Internet of Things (IoT) development, the potentially vulnerable points correlate to features — and the Hanwha SNH-V6410PN/PNW SmartCam has a lot of them.

A few of the features listed on the manufacturer’s website: remote control from your smartphone via wifi, two-way communication via built-in microphone, record video or still images to your smart device, event notification.

All of these present a potential vulnerability point to be exploited. In the case of this Samsung-branded SmartCam, it looks like all of them are vulnerable as security researcher Kaspersky documented 13 separate vulnerabilities:

• Use of insecure HTTP protocol during firmware update
• Use of insecure HTTP protocol during camera interaction via HTTP API
• An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
• Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
• A feature for the remote execution of commands with root privileges
• A capability to remotely change the administrator password
• Denial of service for SmartCam
• No protection from brute force attacks for the camera’s admin account password
• A weak password policy when registering the camera on the server samsungsmartcam.com. Attacks against users of SmartCam applications are possible
• Communication with other cameras is possible via the cloud server
• Blocking of new camera registration on the cloud server
• Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
• Restoration of camera password for the SmartCam cloud account

This looks like a lot of vulnerabilities but is not surprising when you have an IoT device that offers a wide range of features like the SmartCam. Combining hardware that acts like a web server, with a cloud server, streaming video and audio and support mobile application creates a lot of places to make mistakes.

By relying on HTTP instead of encrypted HTTPS, it becomes possible for bad actors to inject their own code into firmware updates as they are downloaded to the cameras or to control the camera and microphone as they choose when controlling the SmartCam via HTTP interface.

The developers also missed some very basic account management security controls. Being able to change admin account passwords remotely could allow an attacker to load their own malicious code on the camera to send video to the destination of their choosing, lockout the legitimate user from their hardware, participate in a botnet, even mine for the cryptocurrency.

Even if the camera is hidden behind a firewall, the poorly implemented password controls in the cloud service offer a channel for the bad actors to find and control the camera.

There is even an interesting attack vector where the attacker “clones” the individual’s camera such that the victim sees the video feed from the attacker’s camera instead of their own. One can imagine a Hollywood movie scene where a security camera feed is replaced with the view from an empty hallway while the criminals walk through the building with impunity.

These cameras are also subject to the common Denial of Service vulnerabilities often found in IoT devices. There is one unique method that leverages the cloud service in this case. If the bad actor is able to register the camera details first, the legitimate customer will be unable to register and their SmartCam becomes useless.

In a blog post on March 12, Vladimir Dashchenko confirmed that these vulnerabilities exist “not only in the camera being researched but all manufacturer’s smart cameras manufactured by Hanwha Techwin. The latter also makes firmware for Samsung cameras.”

Following notification from the researcher, Hanwha has started to release firmware updates to fix the vulnerabilities, but this work continues. Details about the fixed vulnerabilities are available from the following CVEs: CVE-2018-6294, CVE-2018-6295, CVE-2018-6296, CVE-2018-6297, CVE-2018-6298, CVE-2018-6299, CVE-2018-6300, CVE-2018-6301, CVE-2018-6302, CVE-2018-6303.

It is tempting to purchase the solution with the most features for the lowest price because it feels like the best deal. However, getting to the lowest price usually requires compromises and are you getting a deal if the compromises come in features you don’t need?