Which? That smart home camera? The one with the vulns? Really?

Security experts confounded by consumer org's assessment


Which? Magazine has been called out for recommending a line of smart home cameras with known vulnerabilities.

The Consumers' Association magazine has worked hard to build trust in its consumer-focused product reviews. The fact that the Samsung SmartCam SNH-P-6410 smart home security camera still has Which's "Best Buy" recommendation stamp, however, has surprised security experts. The camera has security flaws involving video feed compromise.

The Which? review of home security cameras judged the devices on multiple criteria including functionality, ease of use and value for money as well as privacy.

Which? noted that there were "some privacy concerns" with the "expensive" Samsung SmartCam while continuing to list the device as its top pick.

Security experts at Pen Test Partners reacted to this assessment with incredulity. "Which? Magazine have recommended a smart camera that allows their readers to be spied on," said Pen Test Partners' Ken Munro.

Munro faulted Which? for not seemingly not reviewing published research on flaws with the camera in reaching its assessment, which seemed to weight its support for encrypted communication very heavily while apparently neglecting other security problems with the device.

The vulnerabilities

Takeover vulnerabilities were found in this camera in 2014, predating the 2016 Which? review. They were still present until recently. In August 2016, command injection vulnerabilities were uncovered. More recently, in April 2018, Kaspersky published a report into the security of the SmartCam SNH-P-6410 that described it as "riddled with bugs".

This is in addition to other problems Pen Test Partners itself has found with the Samsung-branded device.

"We've tested this Samsung SmartCam camera several times for various different organisations, going back to 2016," Munro explained. "Obviously, client engagements are covered by non-disclosure agreements, however we worked with each client to report the findings responsibly to Samsung (Hanwha Techwin is the actual manufacturer) for remediation to be carried out.

"So, we knew about the issues but had to remain silent for contractual reasons."

Which? either didn't know about or placed little weight on multiple security criticisms of the Samsung SmartCam SNH-P-6410 while slamming the Hive for comparatively less serious problems, further irritating Munro.

"What made this even worse was that Which? made a big deal of a single plain text request from the Hive smart camera – this wasn't ideal, but to exploit it would require first compromising the users Wi-Fi network [and] even then the only data exposed was the users email address," Munro explained.

"Yet, they made a 'Best Buy' recommendation for a camera whose video feed could be accessed by anyone, among [other] numerous security flaws."

Unresolved flaws in the Samsung SmartCam SNH-P-6410 make it either a nosy neighbour or local stalker, according to Munro.

"The cameras are still vulnerable to a de-authentication and evil twin attack. Hence, anyone in Wi-Fi range can access the user's video feeds," he warns, adding that the locations of vulnerable devices might easily be uncovered using the wigle.net Wardriving database.

"The cameras also have terrible local network security, so if one cracks the users Wi-Fi PSK [pre-shared key] or has local access, it’s possible to completely compromise the camera. Command injection, total pwnage.

"Which? either need to significantly upgrade the depth of security testing, or stop making recommendations in the consumer IoT space."

All the magazine had to do was Google and they'd have seen that the device exhibited a number of security problems, Munro told El Reg. All they appeared to have done was a cursory check on the mobile app.

"I don't even think they tested the mobile app thoroughly – as far as I can make out they were just looking for unencrypted comms. That would explain why they found the minor issue in the Hive, but missed the glaring hole in the Samsung.

"Their methodology is screwed – they state that the presence of encryption makes the data secure."

El Reg asked Which? to comment on PTP's criticisms. In response the well-respected magazine highlighted the caveat it had made to its endorsement without commenting on the product's various vulnerabilities. It confirmed its recommendation was made on the basis of more detailed reviews carried out two years ago.

Which? found a minor privacy concern with this device at the time of testing more than two years ago and this is clearly stated in the review. Our rigorous testing programme is constantly evolving to take into account changes in the tech security landscape and to ensure our members have access to the impartial advice they need to inform them when they make a purchase.

Which? works tirelessly with tech companies, security experts and the Government to push for improvements in the connected tech sector – including playing a key role in guidance to make products secure by design, which will help improve security on smart devices for millions of consumers.

Pen Test Partners has an extensive portfolio of work assessing the security of IoT devices under its belt – including research into everything from smart kettles to maritime shipping. That work has included research into smart home security cameras. For example, PTP researchers recently uncovered flaws in Swann and FLIR cameras so serious the devices could be turned against their owners and used to spy on them in their own homes. ®

Similar topics

Broader topics


Other stories you might like

  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • That critical vulnerability might not be the first you should patch
    Startup Rezilion suggests enterprises should change prioritization strategies

    Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.

    Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.

    Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022