14 DAY TRIAL // Researchers from the University of Michigan and Microsoft have discovered a series of security issues with Samsung's SmartThings smart home management platform.
SmartThings is a so-called smart home hub, an extendable IoT home platform that allows users to buy and add smart devices for their home, connect them to the SmartThings hub, and control all devices at once using the SmartThings app or via separate apps created by the devices' vendors.
In the world of IoT homes, SmartThings is currently the biggest platform, with built-in support for hundreds of devices. For this reason, the team of researchers focused their efforts on this technology.
Researchers find two glaring security holes
For their study, they subjected 499 SmartApps and 132 device handlers to a series of static code analysis tests. Summarizing the results of their work, the researchers narrowed their work to two main issues.
“ First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes. ”
In layman's terms, researchers found that apps were requesting more permissions than needed and they didn't protect sensitive data while in traffic.The research team said that 55 percent of the scanned apps required more permissions than they were designed to use, and 42 percent of the apps received permissions they did not ask for.
As for the second flaw, researchers created a malicious app that they said only monitored battery levels on various IoT smart home devices, but behind the user's back, it intercepted and then spoofed commands from local SmartThings-powered smart doors, allowing attackers to open locks on command.
Samsung addressed the "hypothetical" issues
Alex Hawkinson, founder and CEO of SmartThings, responded by claiming researchers discovered "hypothetical" vulnerabilities, which can only be exploited under certain circumstances. Nevertheless, Mr. Hawkinson said that Samsung worked with the research team to address the reported issues, which have now been fixed.
More details are available in the Security Analysis of Emerging Smart Home Applications report. Some proof-of-concept demos recorded by the researchers are embedded below.
