Security Lapses Found in Samsung Smart Home System

A team of researchers at the University of Michigan working with Microsoft has revealed that the Samsung SmartThings IoT platform for smart homes is riddled with security flaws. The discovery was announced on May 2 in a paper titled “Security Analysis of Emerging Smart Home Applications.”

The researchers said they were able to hack into the Samsung system and get the PIN code to the home’s front door through one of four attacks they carried out on an experimental setup of the SmartThings system. The “malware lock pick app” attack was able to retrieve the PIN using a rogue smart app that was able to eavesdrop on someone setting a new PIN. The stolen data was then texted to the hacker. They disguised the app as a battery monitor with no other access required in its code. The experiment also found these flaws:

• A highly rated SmartApp could be remotely exploited to make a new door key simply by programming an additional PIN into the lock.
• A fire alarm could be made to go off by any SmartApp by exploiting it to inject fake messages.
• A SmartApp could be used to remotely turn off “vacation mode” and unsecure a home.

“At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective,” said Atul Prakash, University of Michigan professor of computer science and engineering. “I would say it’s okay to use as a hobby right now, but I wouldn’t use it where security is paramount.”

The team said more than 40 percent of the nearly 500 apps they examined were granted privileges they didn’t need. They also found that OAuth was being deployed incorrectly and that the event subsystem on the platform is insecure.

In a May 2 blog post on their website, Samsung acknowledged the report and said they are taking it seriously.

“The report discloses hypothetical vulnerabilities in the SmartThings platform and demonstrates how, under certain circumstances, they could be exploited. Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report.” Samsung also said it was grateful for the research and will work to improve the security of the platform.

The team will present their paper and the full findings of their study at the EEE Symposium on Security and Privacy May 23-25 in San Jose, CA.

Related:
Why IoT device security remains abysmal
An Internet of Broken Things?