Seriously Samsung? Home surveillance cameras that exposes usernames and passwords to login.

Samsung's home surveillance IP cameras (including the SDE and SDR models) must be controlled with Silverlight Internet Explorer plugins, so I decided over the Thanksgiving holiday to see whether I could study the network traffic and understand how these devices worked.  While studying some of the endpoints, I came upon this security bulletin published 3 months ago.

http://www.securityfocus.com/archive/107/528120/30/0/threaded

Samsung provides a wide range of DVR products, all working with nearly
the same firmware. The firmware it's a Linux embedded system that
expose a web interface through the lighttpd webserver and CGI pages.

The authenticated session is tracked using two cookies, called DATA1
and DATA2, containing respectively the base64 encoded username and
password. So, the first advise for the developers is to don't put the
user credentials into the cookies!

Anyway, the critical vulnerability is that in most of the CGI, the
session check is made in a wrong way, that allows to access protected
pages simply putting an arbitrary cookie into the HTTP request. Yes,
that's all.

This vulnerability allows remote unauthenticated users to:

- Get/set/delete username/password of local users (/cgi-bin/setup_user)

- Get/set DVR/Camera general configuration

- Get info about the device/storage

- Get/set the NTP server

- Get/set many other settings

It turns out that the major Samsung home surveillance DVR have this security flaw. Essentially all the username and passwords are unhashed and can be retrieved by using an arbitary cookie.   The source code that retrieves this info is included here:

http://www.andreafabrizi.it/download.php?file=samsung_dvr.py

If you want to verify whether your device is vulnerable, check out :

http://ismysamsungdvrhacked.appspot.com/ (GitHub code here)

Hoping to find that Samsung fixed the issue, I went to http://www.samsungsv.com/Support/DVRFirmwareUpdate and discovered that the firmware versions have yet to be updated.

Why does this issue matter? For one, Samsung provides a Dynamic DNS service at samsungipolis.com (i.e. http://samsungipolis.com/home1) that enables customers to have their systems devices report the IP location.  This IP address is stored by Samsung and provides a redirect to the owner's hosted cameras.

$ curl http://www.samsungipolis.com/testing
<body>

    <meta http-equiv="refresh" content="0;url=http://98.17.152.5:80"/>


</body>

In other words, all you have to do is find a name that's using Samsung's Dynamic DNS service, point the Python script at this IP, and assuming the owner has enabled remote web interface access for the user account, you can login to their service (and possibly gain admin access to make any changes).  You obviously have to use Internet Explorer to test, since the plug-ins were built in Silverlight.  (If you get a blank white screen, you're probably using a non-IE browser.)

I've sent a note to their customer support and tweeted to them about this unpatched security flaw (now going on 3 months)  If you are running one of these systems, you're best option is to disable the web interface until this flaw is patched.

Update (12/1/2013): Samsung's web site at samsungsv.com does not have the updated firmware images, but you can sign up for a free account at http://developer.samsungtechwin.com and get access to newer versions of the firmware.

For the SDE-5001 DVR device, for instance, the latest version is v1.05.  However, this last update was made on 01/2013, about a year ago, which suggests that the patch has yet to be applied.  Also, by mounting the flash image, we can also see that the binary for the cgi_login program which has this security hole does not appear to have changed since the v1.02 version.   I also checked the lighttpd configuration and did not see any differences in the files. In other words, the security flaw still seems to exist.