Samsung's Smartcam HD Plus has fallen to security researchers over at Exploitee.rs, who were able to gain root access to the camera by pushing a malicious file to the camera through the iWatch interface. The bug, in short, uses leftover scripts that Samsung did not remove following a previous bug, left in place to allow for easy firmware updates over the web. This interface can be duped into installing a malicious file to the camera fairly easily through a PHP system call. Once the exploit has been used, a user has full access to the camera, including root access, through any network connection that the camera is on.
The exploit itself, as noted above, is quite easy to commit; all a user has to do is push a .tar file containing a specially named .php file, named install.php, with any code they want to run. In this particular exploit, the code can gain root access for remote commands, and even re-enable the administration panel that Samsung ripped out of the camera in response to an earlier exploit that used it. In order to fix the bug and secure the camera, a user can actually use the exploit to modify a file that runs underneath remote code on the device. The fix is to simply add in code that checks for an administrator, which means that only the administrator that a user sets through the exploit can get into the system.
The implications of this exploit are quite far-reaching; a hacker that breaks into the camera through this exploit can not only watch the feed and send any remote command to the camera that they want, they can even use the fix described above to lock a user out of their own camera, in essence seizing it for their own in every way except physical. Samsung has yet to comment on this newest exploit. Exploitee.rs has made the exploit completely public, down to the last technical detail, which means that owners of these cameras should be careful about security, and if they are technically inclined, consider applying the fix, which can be found through the source link, as a temporary fix until Samsung pushes their own patch.