
Hacking the Samsung NX300 "Smart" Camera - ge0rg
http://op-co.de/blog/posts/hacking_the_nx300/
======
matthewmacleod
Jesus. How do engineers get away with this sort of thing? Why is there such
resistance among hardware companies to a philosophy along the lines of "let's
develop some simple, no-nonsense, standards-compliant firmware with a
straightforward user interface"? Like every single router configuration page -
godawful.

There's a hardware platform I've been keen to implement for some time, and to
some extent I keep putting it off when I think about how challenging security
and a good UX would be. Apparently the bar is lower than I thought.

~~~
javajosh
People don't care how the sausage is made.

~~~
pfortuny
That is until some expert comes and informs them that it is actually made 90%
pork 10% rat.

~~~
dvhh
And soylent green is ... nevermind the taste is amazing

------
richardwhiuk
FYI, the request to [http://gld.samsungosp.com](http://gld.samsungosp.com) is
probably to attempt to detect wireless networks which require login.

iOS does something similar - [http://blog.erratasec.com/2010/09/apples-secret-
wispr-reques...](http://blog.erratasec.com/2010/09/apples-secret-wispr-
request.html)

~~~
mey
I understand the accept-language based on the company that created the device,
but why would the accept reference shockwave and excel documents? That seems a
little odd and not a simple library default.

------
lnanek2
The security flaws are bad, like not write locking the tag.

Still, lots of fun stuff for a developer user there, though. It runs a full X
server, so technically some Linux people might consider it even more capable
than Android.

Supporting a shared amongst manufacturers format like DLNA is cool too. Maybe
a different brand smartphone could work with it more easily then, for example.

~~~
skeletonjelly
Plug in a few things and you'd be able to make a phone call from your camera
and have it run Breakout or something

------
mx12
If you're interested in more camera hacking, here is a very interesting talk
from last years black hat about hacking security cameras.

Title: Black Hat USA 2013 - Exploiting Network Surveillance Cameras Like a
Hollywood Hacker
[https://www.youtube.com/watch?v=LaI0xjeefpg](https://www.youtube.com/watch?v=LaI0xjeefpg)

------
feniv
I bought this camera several months ago and I just want to chime in and say
it's takes some AMAZING pictures. For all of the complaints about how bad
Samsung's software is, its UI is a lot more intuitive than what I've come to
expect from most cameras. The vulnerabilities they mention seem akin to what
you get from connecting most printers to your network.

~~~
ge0rg
My goal was not to criticize their UX (which I do nevertheless, triggering
"advanced" features like HDR takes some amount of clicking), but to point out
things that still need to be improved. Modern interconnected devices need to
adhere to a new security standard, or they will be turned into bugs against
their owners.

------
mikestew
I'm shocked, _shocked_ that there is shitty software running in this Samsung
establishment. When I saw the title, I had a strong suspicion that it wasn't
about making the camera do cool things, but the subject would be "how broken
is Samsung's firmware?"

What is it with Samsung and software? I mean, they can crank out some decent
hardware, but their software is consistently abysmal. I have a Note 3. Ignore
the plasticy and cheesy (fake leather stitching? Really?) exterior, and it's a
decent piece of kit. But the included software is consistently crap. I bought
the Note for the stylus, but both S Note and Action Memo apps that are to be
used with the stylus consistently lost data. I think they fixed it in a later
update (haven't lost data lately), but it doesn't inspire confidence.

The prime example is Samsung's new Gear Fit. It just plain doesn't work as
advertised, and it's due to unbelievably broken software. The only things that
work reliably are the notifications and the pedometer. And though the
pedometer works (if a bit inaccurately) the data reporting is broken. I mean
so broken that if you want a historical listing of your steps each day, you'll
have to write it down because the data reporting is grossly inaccurate.
Everything else, including most exercise functionality, just doesn't work. I
thought it would be fun (and please pardon the shameless plug) to see if I can
post a new bug every day:
[http://gearfitbugs.tumblr.com](http://gearfitbugs.tumblr.com) (been slacking
the last few days for lack of time).

Point is, how do they stay in business? Who buys one Samsung product and then
turns around later to buy another one (okay, me, I guess)? For me, they don't
get three strikes. Two hardware products with amateur-level software (with
apologies to all amateur developers out there; your stuff is likely better
than Samsung's) are the only chances Samsung will get with me. And if they
think I'm letting one of their Internet-connected TVs (with mic and camera) in
my house, they're delusional.

The Gear Fit brought to mind another question that I'll likely never get an
answer to: how does this happen? Fine, you made some really bad dev hires. But
don't you have a test team? Does the test team suck, or are they just ignored?
What about project management? When the test team comes back and says, "the
cycling function doesn't work. It will never record a whole workout without
stopping mid-way.", does PM just say "ship it anyway"? Come ship date, you
just take whatever is sitting at HEAD no matter what shape it's in, build it
and call it the RTM build? I would seriously pay a week's wages to spend a
week with their product team to get a look from the inside on how not to build
software.

~~~
dba7dba
> I'm shocked, shocked that there is shitty software running in this Samsung
> establishment.

haha. As someone with some knowledge of Korea, I can add a few pointers. Of
course it should NOT be used to paint a broad black/white picture of S Korea
or even the state of IT companies in S Korea, but let me try. Please note this
is just a personal view.

First, Samsung and other S Korean companies know their weakness is software.
They started providing more funding for software majors and Samsung even
started a program where they will sponsor (pay salary, provide office space)
high school graduates (but not in college yet) to study coding and put out
projects over a period of a years (?) all in order to have more more talent
get into software.

So WHY this seemingly lack of talent/interest in software building in S
Korea's mega corporations? Surely with companies such as Hyundai Motors and
Hyundai Shipyards and Samsung memory chips, it shouldn't be that hard to find
good software engineers and coders?

I was told one reason is software piracy. It's gotten much better but in the
past software piracy was a big issue in SK. I've used/seen many softwares in
the past but the only one that ever required a physical dongle for licensing
was a Korean Word processor. I had to support it a bit many many years ago.
That was the only one with physical dongle for licensing that I've come
across. Why the piracy? Well because people didn't have money (or thought
didn't have enough money to spend on some intangible thing that requires a fee
based upgrade in just a 1 or so). There's a reason linux/opensource is strong
in some countries. Some just don't have the money to spend on software.

So due to piracy, a generation of students came to think that software was not
a secure career path. Why get into a career to work to build something that
can be easily copied at little cost?

Another reason I see is English. Again, it's gotten better with the obscene
amount of money the nation as a whole spends on learning English and now other
languages. But learning English for S Koreans used to be pretty intimidating.
Sure source code is nonsensical alphabets to even native English speakers.
Imagine someone learning English for first time starting in middle school with
a dozen other subjets to learn. No wonder it was hard to find decent English
speaker/writer in S Korea for decades. If you were decent at English, you had
other far more prestigous/lucrative career path for you.

One possible reason that the seemingly big/stable corporations in S Korea
don't seem to attract good coders is requirement for degree from top school.
Getting into good college in S Korea is hard enough. Well, getting into one of
the big corporations like Hyundai/Samsung is even more competitive. And we all
know the really outstanding programmer/coder/startupers usually didn't have a
degree when they started out in programming/IT. Like Jobs, Gates, etc.

That's my 2 cents.

~~~
ge0rg
_So due to piracy, a generation of students came to think that software was
not a secure career path. Why get into a career to work to build something
that can be easily copied at little cost?_

Wow, this is really interesting - in Russia, piracy was as prevalent, but my
gut feeling is that Russian software is far superior to their hardware.

~~~
makmanalp
I think that's a function of their strong focus on mathematics and engineering
education during the Soviet era (and then CS departments grew as an offshoot
of that, I bet).

------
murf13001230
I don't know... I kind of like it that it is as hackable as it is. Worst thing
imho is the permanent write-lock problem and that it should be secured in a
way that lets the user hack it but keep the baddies out.

------
userbinator
I don't think a digital camera needs to be running a pretty full-featured
Linux distro with X11 and all, nor phone home with your location, nor have
several hundred MB of firmware. These "smart" devices are way too smart for
their own good.

