Researchers Hijack Samsung's SmartThings IoT System
May 4, 2016 12:55 PM PT
Researchers at the University of Michigan on Monday announced they had uncovered a series of vulnerabilities in the Samsung SmartThings home automation system that essentially could have allowed hackers to take control of various functions and break into a user's home.
The researchers, working with Microsoft in what may be the first comprehensive study of an Internet of Things application for the home, did a security analysis of the system.
They were able to perform four proof-of-concept attacks that allowed them entry to the home or the ability to take over different functions:
A lock-pick malware app, disguised as a battery-level monitor, could eavesdrop on a user setting a new PIN code for a door lock and sent the PIN code to a potential hacker via text message.
A SmartApp could be exploited remotely to make a spare door key by programming an additional key into an electronic lock.
A SmartApp could turn off vacation mode -- which lets users program the timing of indoor lights, blinds and other functions to help secure a home while residents are away -- in another app.
By sending false messages through a SmartApp, the researchers were able to make a fire alarm go off.
The researchers tested SmartThings because of its wide use. The Android app for the system has been downloaded more than 100,000 times. The SmartThings app store, which is where third-party developers write apps in the cloud for the system, has more than 500 apps.
The platform had a vulnerability called "overprivilege," which essentially means the SmartApps allowed more access to the devices than originally intended, and the devices could be made to do things that they were not programmed to do originally, the research showed.
The developers gave additional capabilities to 40 percent of the nearly 500 apps tested and incorrectly deployed the OAuth authentication method, the researchers said. When combined with the excess privilege built into the system, the flaws could allow attackers to program their own PIN code into the system, creating a spare key to attack the system.
Additionally, something called the "event subsystem" -- the stream of messages the devices generate as they are being programmed -- was insecure, the researchers said.
They notified Samsung of the problem last year and have been working together to patch the vulnerabilities.
"Protecting our customers' privacy and data is fundamental to everything we do at SmartThings," said Alex Hawkinson, CEO of SmartThings.
The company regularly performs security checks of its system and engages with third-party experts to stay in front of vulnerabilities, he said.
The SmartThings team has been working with the researchers over the past several weeks on the vulnerabilities and has issued a number of updates to protect against potential vulnerabilities before they happen, Hawkinson said.
None of the vulnerabilities described in the report have impacted customers so far, he added.
The vulnerabilities primarily are dependent on two scenarios: the installation of a malicious SmartApp and the failure of third-party developers to follow SmartThings guidelines on how to keep their code secure, according to the company.
As an open platform with a growing and active community of developers, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source, the company said. Code downloaded from an untrusted source may present a potential risk.
The company has updated its documented best practices to give better security guidance to developers, it said.
Without knowing the specifics of the development, it's impossible to know how the vulnerability was left exposed, said Christopher Budd, global threat communications manager for Trend Micro.
In general, such vulnerabilities point to issues in the development process, specifically around the priority of security in the process, he told TechNewsWorld.
"This is a broad and common class of issues not just in IoT devices, but desktop applications and mobile apps as well," Budd said.
The paper is scheduled to be presented later this month at the IEEE Symposium on Security and Privacy in San Jose, California.