Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SmartThings Flaws Expose Smart Homes to Hacker Attacks

A team of researchers from the University of Michigan and Microsoft conducted an analysis of a smart home platform from Samsung-owned SmartThings and discovered vulnerabilities that could be exploited for remote attacks. SmartThings says it has taken steps to address the flaws, but downplayed the risk.

A team of researchers from the University of Michigan and Microsoft conducted an analysis of a smart home platform from Samsung-owned SmartThings and discovered vulnerabilities that could be exploited for remote attacks. SmartThings says it has taken steps to address the flaws, but downplayed the risk.

In a paper they will present later this month at the IEEE Symposium on Security and Privacy, researchers said they focused their efforts on Samsung’s SmartThings because it has the largest number of mobile apps, called SmartApps, and it supports a broad range of devices, including door locks, fire alarms and motion sensors.

The problem, according to researchers, is that many of the 521 available SmartApps are overprivileged — they are granted full access to the device they are installed on even though they request only limited access, or they don’t actually use the privileges they request.SmartThings vulnerabilities

Another issue is related to the SmartThings event subsystem. The events used by a device to communicate with SmartApps are not properly secured, exposing potentially sensitive information, such as door lock codes, to unauthorized parties.

In one of the experiments conducted by researchers, they managed to leverage an existing SmartApp to add their own PIN to a smart lock. The attack involves stealing the app’s OAuth token and getting the victim to click on a link. After experts notified SmartThings, the company implemented some changes to the OAuth flow in an effort to prevent potential attacks.

In a different experiment, researchers created their own app, which allowed them to eavesdrop on events and steal sensitive information. The test application was apparently designed to only monitor the battery levels of connected devices. In reality, it could intercept a door lock PIN programmed by the user and send it to the attacker via SMS.

The app relied on the fact that unprivileged applications can read all events using only a leaked device identifier.

Events can also be spoofed, which experts demonstrated by using a SmartApp available on the app store to disable a home’s “vacation mode,” a feature that simulates turning lights and other devices on and off to make it look like someone is in the home while the owners are on vacation.

Event spoofing was also used by the experts to simulate an attack scenario where an apparently benign app was used to interact with an alarm panel SmartApp that has access to alarms, carbon monoxide (CO) detectors, and motion and water sensors. The attack app developed by experts could create a fake event for the CO detector and set off the alarm.

Advertisement. Scroll to continue reading.

A survey of nearly two dozen SmartThings customers showed that while most of them would be interested in an app that monitors battery levels, only 14 percent of them figured out that the app can steal their door lock codes, which suggests that the attack scenario described by the researchers is not unrealistic.

Response from SmartThings

SmartThings was informed about the security holes in mid-December 2015 and the company has taken steps to address the issues, but assured customers that they haven’t been affected by the vulnerabilities.

SmartThings has provided the following statement to SecurityWeek:

Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We regularly perform penetration tests of our system and engage with professional third party security experts, embracing their research so that we can continue to stay in front of any potential vulnerabilities and be industry leaders when it comes to the security of our platform.


We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows. The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.


Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.


As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third party website, there’s a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.

Related: When the IoT Comes to the Office

Related: IoT Devices Easily Hacked to be Backdoors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.