Security researchers at the University of Michigan have found a number of design flaws in the Samsung SmartThings platform. The flaws potentially undermine the security of any smart home setup using the SmartThings ecosystem. allowing malware to open doors, falsely silence alarms, set home passcodes, take devices out of vacation mode, and a host of other attack vectors.

In a sense, one of the attacks depends on the user downloading a malicious app from the SmartThings store or clicking on a malicious link. Once a malicious application is downloaded, an attacker can effectively carry out a remote attack from anywhere in the world.

Understandably, Samsung has championed critical security issues, claiming that it is working with full knowledge of the issues and proactively fixing them.

Is it good enough? Or should Samsung, an international technology company, actively investigate why their products come with security bugs? Let’s take a look.

Numerous vulnerabilities

Security researchers at the University of Michigan have developed several pilot experiments aimed at identifying potential disruptions in the Samsung SmartThings ecosystem. As one of the largest manufacturers of IoT Ready (Internet of Things) devices including refrigerators, thermostats, ovens, security doors, locks, panels, sensors and more, it’s no wonder their credentials are under scrutiny.

The researchers confirmed that the malfunctions were caused by two internal design flaws in the SmartThings ecosystem. Moreover, these two design flaws are not always easy to fix.

The problems are related to how third-party smart home control applications implement the authorization protocol. OAuth . The researchers found one incompatible app and were able to create an entire flaw-based attack by sending a single link to the actual SmartThings login page, but at the same time stealing the user’s login token. With tokens in hand, an attacker can create their own smart lock PIN while the user is left

Another exploit involved exploiting a vulnerability to disable «vacation mode» by demonstrating access to high-level permissions. Once an attacker is given access to «vacation mode», they can mitigate any pre-programmed vacation protection modes, such as randomly turning on lights throughout the house or opening and closing blinds to simulate a busy residence.

This leads to the second aspect of the SmartThings security issue. Most applications used by researchers should not have this level of operational privilege from the start. Security researchers have determined that the SmartThings store contains over 500 individual applications. offering some degree of control or automation to your home. Then they found that over 40% of these apps provided too many privileges for the sometimes simple job they were designed to do.

These «excessive privilege» applications pose a serious security problem, though often not entirely the fault of the designer. Atul Prakash, professor of computer science and engineering at the University of Michigan, explained it this way:

“SmartThings provides access by default at the full device level, not at a narrower level. As an analogy, let’s say you give someone permission to change a light bulb in your office, but that person also gets access to the entire office, including the contents of your filing cabinets.»

Samsung Answer

As you might expect, Samsung has defended its interests on the Internet. The SmartThings statement looks like this:

“Protecting the privacy and security of our customers’ data is fundamental to everything we do at SmartThings. We are fully aware of the University of Michigan/Microsoft Research report and have been working with the report’s authors over the past few weeks on how we can continue to make the smart home more secure as the industry grows.

The potential vulnerabilities disclosed in the report mainly depend on two scenarios — the installation of a malicious SmartApp application, or the failure of third-party developers to follow SmartThings recommendations to keep their code secure.

With respect to the malicious SmartApps described, they do not and will never affect our customers due to the certification and code review processes that SmartThings uses to ensure that malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described still do not impact our customers, we have added additional security review requirements for publishing any SmartApp.

As an open platform with a growing and active developer community, SmartThings provides detailed guidance on how to keep all code safe and determine what is a trusted source. If the code is downloaded from an untrusted source, this may present a potential risk, just as when a PC user installs software from an unknown third-party website, there is a risk that the software may contain malicious code. Since this report, we have updated our documented recommendations to provide developers with even better security recommendations.”

This is not the first time Samsung has faced IoT security issues and is not an issue isolated to any tech company. IoT devices are invariably a source of security concerns, and most users exploring new network-ready network devices do not fully understand the seriousness of what they are doing.

A little SmartApp research

The research team even completed an extremely small study of people using SmartApps, assessing their attention to the permissions they gave.

Shockingly, 20 out of 22 people surveyed would allow a battery monitoring app to check the status of the smart locks installed in their premises, as long as the app sends the door access codes to a remote server. This may be the case when users do not exercise due diligence in order to ensure personal safety, especially in cases where this can lead to serious losses or, in the worst case, to personal danger.

But equally, and this is where I offer my condolences to users, the main problem is that companies that install and implement smart systems in private homes and businesses do not offer enough educational support to users.

Of course, the user can understand about what the installer says, but has he really digested the fact that his whole house is connected to the network? Do they understand that their refrigerator is now connected to the network and that their fridge is now open to the same vulnerabilities as their tablet? Because you can bet your bottom dollar, the user will be much more aware of the tablet’s vulnerabilities than the immaterial threat of the chiller’s contents.

Or, as a team of researchers from the University of Michigan wrote:

“Smart home devices and related software platforms will continue to proliferate and remain attractive to consumers because they provide powerful functionality. However, the results in this article suggest that the caution is justified as well, both on the part of early adopters and framework developers. The risks are significant and are unlikely to be easily addressed with simple security patches.”

There is no need to panic. Samsung has already begun addressing some of the key issues highlighted in the document, although it will take some time for the SmartThings platform to become a truly secure smart home platform.

Do you use SmartThings? Will you consider moving to another structure? Let us know below!

Photo Credit: Alexander Kirch via Shutterstock

Похожие записи