Researchers from the University of Michigan and Microsoft Research took aim at Samsung’s SmartThings and came up with four proof-of-concept attacks that they believe should make SmartThings owners a bit paranoid by thinking about worst-case scenarios in which hackers remotely take control of your home.
If a hacker could unlock your door while you are sleeping, then your safety is at risk. If the door is unlocked while you are away, then you might have come home to discover all your cool tech is gone. If a hacker could continually set off your smoke alarm, then your sanity might be tested.
None of those examples is out of the realm of possibility, as the researchers exploited SmartThings framework design flaws and developed attacks that included stealing door lock PIN codes, changing the lock code, triggering a fake fire alarm and turning off vacation mode “all without requiring SmartApps to have capabilities to carry out these operations and without physical access to the home.”
The researchers chose SmartThings because it is fairly popular, supports numerous devices and has more apps than any other smart home platform. Analyzing SmartThings was tricky, the researchers explained in their research paper (pdf) because the “apps run on a proprietary cloud platform, and the framework protects communication among major components such as hubs, cloud back end and the smartphone companion app.”
Nevertheless, they analyzed the platform’s security design, the source code of 499 SmartApps and 132 device handlers, and then crafted test cases that revealed undocumented features in the SmartThings platform.
Design flaws discovered
How well does SmartThings protect physical devices and associated data? Not very well. The SmartThings framework does include security measures such as a privilege separation mechanism meant to limit what operations a SmartApp can give to a compatible device, yet the researchers discovered “two intrinsic design flaws that lead to significant overprivilege” in SmartThings apps, called SmartApps.
SmartApps are no better than most and require excessive permissions that are not actually required for the app to do its thing. More than 55 percent of SmartApps are “overprivileged due to the capabilities being too coarse-grained.” After a SmartApp is installed, it “is granted full access to a device even if it specifies needing only limited access to the device.” Additionally, the researchers found that “the SmartThings event subsystem has inadequate security controls.”
One attack exploits the way an unnamed Android SmartApp implemented OAuth. It doesn’t follow the recommendations by SmartThings, yet the app which lets household members remotely manage connected devices exists. The researchers explained that if a hacker could trick a SmartThings owner into clicking on a link, such as in a forum or an email, and the link takes them to the real SmartThings HTTPS login page where they login, the attacker could use the hidden redirect to steal the OAuth token. At that point, the attacker could change the smart door lock PIN code. The attack below is of such a backdoor PIN-code injection.
Three other proof-of-concept attacks required more social engineering to persuade a SmartThings owner to download a malicious app. They came up with the idea of an app that would monitor the battery level of connected devices. It’s not a bad idea, as 77 percent of surveyed SmartThings owners said they would use such an app and 91 percent would like the app to monitor the battery status of their Schlage door lock. However, those owners would have no reason to believe a battery monitoring app for their smart door lock could also send access codes to a remote server.
By tricking a user to download a malicious app, the researchers said an attacker could pull off PIN-code snooping, disable vacation mode and trigger a fake fire alarm.
Videos of all of the attacks are on the researchers’ IoT Security site. They believe their research “serves as the first critical piece in the effort towards secure smart homes.” The research paper, “Security Analysis of Emerging Smart Home Applications” will be presented at the 37th IEEE Symposium on Security and Privacy later on this month.
Researchers Earlence Fernandes, Jaeyeon Jung and Atul Prakash disclosed the vulnerabilities to SmartThings in December. In January, SmartThings said it would strengthen its OAuth tokens by April. In April, SmartThings said it had a dedicated team for reviewing SmartApps and web services endpoints to make sure they were benign in operation.
SmartThings said it “continues its effort to enhance the principle of least privilege by limiting the scope of valid access to only those areas explicitly needed to perform any given authorized action.”
The company also updated documentation to enforce that practice.