Samsung’s SmartThings system has massive vulnerabilities
Tue 3 May 2016
A team of researchers from the University of Michigan has found that Samsung’s SmartThings home automation system had a number of security flaws, which could subvert user settings or even allow hackers access to the home. This is believed to be the first real-world, platform-wide test of the popular integrated home security system, and revealed some serious design vulnerabilities.
A SmartThings home monitoring kit provides hardware that allows a user to monitor and control their home remotely, from a smartphone or mobile device. It can control the locks on doors as well as lights, heating and air conditioning, provide motion sensing and activate alarms for fire or unwanted entry.
The researchers demonstrated how a SmartApp could be used as a remote lock-picking device. Disguised as a battery-level monitoring app, it spies on a user setting a PIN code for unlocking their doors, and texts that PIN to a potential hacker. Another SmartApp already available for use with the SmartThings system could be hacked to create an additional PIN code for unlocking doors as well – using an app designed for something completely different to create a ‘spare key’ to someone hoping to gain access to the home.
The researchers were also able to set off erroneous fire alarms remotely, and to turn off ‘vacation mode’ settings designed to provide security when home-owners are gone.
The security flaws found in the study fall into three categories. The first is called ‘over-privilege’; the system grants each app a full-device level control, rather than having apps fall under narrower restrictions of access. This is how researchers were able to exploit an app to eavesdrop on the setting of PIN codes.
Over 40% of the 500 SmartApps studied had some sort of capability that was not expressed by the developers in their code. The second category is an incorrect use of OAuth, whereby a hacker can exploit the authorization codes of the devices, which allowed them to create a separate PIN code for the doors. Finally, an insecure event subsystem allowed the team to send the system erroneous messages that caused the false fire alarms and the remote changes to vacation settings.
As the Internet of Things grows in popularity and is integrated into the daily lives of consumers, security will become more of an issue. PhD student Earlence Fernandes, who led the study, said, “One way to think about it is if you’d hand over control of the connected devices in your home to someone you don’t trust and then imagine the worst they could do with that and consider whether you’re okay with someone having that level of control.” He went on to say that “letting it control your window shades is probably fine.”