Multiple flaws found in Samsung SmartThings Hub

Share this…

Enterprise network security researchers found dozens of flaws that could expose smart home devices to attacks

Enterprise network security experts discovered 20 vulnerabilities present in the firmware of Samsung’s SmartThings Hub controller that would potentially expose any compatible smart home device to cyber attacks. These vulnerabilities could allow a hacker to execute Operating System commands or other arbitrary code on the affected devices.

Samsung SmartThings Hub is a central controller that can be used to manage a wide range of Internet of Things (IoT) devices in a smart home environment, including smart plugs, LED light bulbs, thermostats and cameras. Access to these IoT devices could allow hackers to collect sensitive information managed by devices within the smart home and perform unauthorized activities.

Samsung SmartThings Hub runs a Linux-based firmware and allows communication with several IoT devices that use wireless standards such as Zigbee, Z-Wave and Bluetooth. Enterprise network security experts explained that hackers need to chain several existing vulnerabilities to exploit the SmartThings Hub flaws. Experts identified three strings, one of which is a Remote Code Execution (RCE) vulnerability that can be exploited without previous authentication.

Remote Code Execution chain – CVE-2018-3911

This RCE affects the hub’s HTTP server; it could be exploited by hackers to inject HTTP requests into this process from another network. This is an exploitable HTTP header injection vulnerability that exists within communications between the hub and remote servers. The flaw could be exploited by sending specially-designed HTTP requests to vulnerable devices.

Other chains

Other chains identified by the investigators could be exploited only by an attacker with previous authentication. The first chain exploits the vulnerability CVE-2018-3879, allowing authenticated attackers to execute SQL queries against a database running on the IoT device.

Enterprise network security experts remark that chaining this vulnerability to a string of other memory corruption vulnerabilities (such as CVE-2018-3880, CVE-2018-3906, CVE-2018-3912 to CVE-2018-3917 and CVE-2018-3919) affecting the Samsung SmartThings Hub makes it possible to execute arbitrary code on the network.

Experts noted that CVE-2018-3879 can also be exploited in the last chain attack for remote information leaking. This vulnerability can be used to create an empty file inside the device. By stringing the 3 vulnerabilities in an established order, an attacker can get a memory emptying of the “HubCore” process, which contains most of the central logic, and hence sensitive device information.

Experts in enterprise network security tested and confirmed that the 0.20.17 firmware version of the Samsung SmartThings Hub STH-ETH-250 is compromised by these vulnerabilities.

Enterprise network security experts from the International Institute of Cyber Security report that Samsung is already working on vulnerabilities and update patches will be installed automatically.