A team of researchers from the University of Michigan and Microsoft conducted an analysis of a smart home platform from Samsung-owned SmartThings and discovered vulnerabilities that could be exploited for remote attacks. SmartThings says it has taken steps to address the flaws, but downplayed the risk.
In a paper they will present later this month at the IEEE Symposium on Security and Privacy, researchers said they focused their efforts on Samsung’s SmartThings because it has the largest number of mobile apps, called SmartApps, and it supports a broad range of devices, including door locks, fire alarms and motion sensors.
The problem, according to researchers, is that many of the 521 available SmartApps are overprivileged — they are granted full access to the device they are installed on even though they request only limited access, or they don’t actually use the privileges they request.
Another issue is related to the SmartThings event subsystem. The events used by a device to communicate with SmartApps are not properly secured, exposing potentially sensitive information, such as door lock codes, to unauthorized parties.
In one of the experiments conducted by researchers, they managed to leverage an existing SmartApp to add their own PIN to a smart lock. The attack involves stealing the app’s OAuth token and getting the victim to click on a link. After experts notified SmartThings, the company implemented some changes to the OAuth flow in an effort to prevent potential attacks.
In a different experiment, researchers created their own app, which allowed them to eavesdrop on events and steal sensitive information. The test application was apparently designed to only monitor the battery levels of connected devices. In reality, it could intercept a door lock PIN programmed by the user and send it to the attacker via SMS.
The app relied on the fact that unprivileged applications can read all events using only a leaked device identifier.
Events can also be spoofed, which experts demonstrated by using a SmartApp available on the app store to disable a home’s “vacation mode,” a feature that simulates turning lights and other devices on and off to make it look like someone is in the home while the owners are on vacation.
Event spoofing was also used by the experts to simulate an attack scenario where an apparently benign app was used to interact with an alarm panel SmartApp that has access to alarms, carbon monoxide (CO) detectors, and motion and water sensors. The attack app developed by experts could create a fake event for the CO detector and set off the alarm.
A survey of nearly two dozen SmartThings customers showed that while most of them would be interested in an app that monitors battery levels, only 14 percent of them figured out that the app can steal their door lock codes, which suggests that the attack scenario described by the researchers is not unrealistic.
Response from SmartThings
SmartThings was informed about the security holes in mid-December 2015 and the company has taken steps to address the issues, but assured customers that they haven’t been affected by the vulnerabilities.
SmartThings has provided the following statement to SecurityWeek:
Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We regularly perform penetration tests of our system and engage with professional third party security experts, embracing their research so that we can continue to stay in front of any potential vulnerabilities and be industry leaders when it comes to the security of our platform.
We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows. The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.
Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.
As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third party website, there's a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.
Related: When the IoT Comes to the Office