Full Report
The researchers at Kaspersky Lab ICS CERT decided to check the popular smart camera to see how well protected it is against cyber abuses.
Analysis Summary
Based on the research conducted by Kaspersky Lab ICS CERT (2018), here is the summary of the vulnerabilities identified within the smart camera ecosystem (specifically the Hanwha Techwin/Samsung SmartCam series).
# Vulnerability: Multiple Flaws in Smart Camera Cloud Infrastructure and Firmware
## CVE Details
*Note: At the time of the report, multiple vulnerabilities were identified and reported to the vendor, resulting in various patches; however, specific individual IDs for every sub-flaw were not all listed linearly in the summary report.*
- **CVE ID:** CVE-2018-6294, CVE-2018-6295, CVE-2018-6296, CVE-2018-6297, CVE-2018-6298, CVE-2018-6299, CVE-2018-6300, CVE-2018-6301, CVE-2018-6302, CVE-2018-6303.
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication), CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation).
## Affected Systems
- **Products:** Hanwha Techwin SmartCam (formerly Samsung SmartCam).
- **Versions:** Firmware versions prior to released updates in early 2018.
- **Configurations:** Devices registered to the manufacturer’s cloud ecosystem and using the "XMPP" protocol for communication.
## Vulnerability Description
The researchers identified a systemic failure in the architecture of the smart camera's cloud interaction:
1. **Insecure Authentication:** The cloud server did not adequately validate the identity of requests, allowing an attacker to register their own account and manipulate camera associations.
2. **OS Command Injection:** Weaknesses in the camera's communication protocol handling (specifically via the XMPP messaging) allowed for the execution of arbitrary commands with root privileges.
3. **Insecure Update Mechanism:** The firmware update process lacked proper signature verification, allowing for the delivery of malicious firmware via a Man-in-the-Middle (MitM) attack or by spoofing the update server.
## Exploitation
- **Status:** PoC developed by researchers; no confirmed "in-the-wild" exploitation reported at the time of publication.
- **Complexity:** Low to Medium (depending on the specific flaw; cloud-side flaws were easily reachable).
- **Attack Vector:** Network (Remote) – Attacks can be carried out over the internet via the cloud API.
## Impact
- **Confidentiality:** Total (Access to live video/audio streams and user credentials).
- **Integrity:** Total (Ability to modify firmware, settings, and device behavior).
- **Availability:** Total (Ability to brick the device or disconnect it from the legitimate owner).
## Remediation
### Patches
- **Vendor Action:** Hanwha Techwin released updated firmware versions for affected SmartCam models.
- **Required Action:** Users should ensure they are running the latest firmware version via the "SmartCam" mobile application or the official web portal.
### Workarounds
- **Network Isolation:** Place IoT cameras on a dedicated VLAN separate from sensitive data.
- **Restrict Access:** Change default passwords immediately (though this does not mitigate cloud-side logic flaws).
- **Disable Unused Services:** If the device allows, disable P2P or cloud features not in use.
## Detection
- **Indicators of Compromise:**
- Unusual outbound traffic to unknown XMPP servers.
- Unexpected restarts or modifications to camera settings.
- Presence of unrecognized administrative accounts in the cloud portal.
- **Detection Methods:** Network traffic analysis for non-standard protocol behavior originating from the camera's IP.
## References
- **Kaspersky ICS CERT Report:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/03/12/somebodys-watching-when-cameras-are-more-than-just-smart/
- **Vendor Advisory:** hxxps[://]www[.]hanwhavision[.]com/en/support/cybersecurity/ (General Security Portal)