Researchers Find Security Issues With Samsung’s SmartThings, While Report Shows 6 In 10 Internet Users Concerned With Privacy
In a survey published this past April by the Centre for International Governance Innovation and Ipsos, approximately 57 percent of global consumers said they were "much more" or "somewhat more" concerned about Internet privacy than they were last year. These results come after researchers surveyed approximately 24,000 Internet users between 16 and 64 years of age in 24 countries.
Just 30 percent claimed that they thought their government was doing enough to keep personal information secure and safe from private companies. About 80 percent were "concerned" that their information was being bought or sold on the Internet, or that it was being monitored.
"Global citizens are increasingly worried about their online privacy and security, especially when it comes to how their personal data is handled by private corporations and governments," wrote the authors of the report. "There are unanswered questions about the extent to which global citizens can trust the Internet's limitless reach — and whose responsibility it is to govern this unchartered space."
Perhaps Internet users have reason for concern.
For instance, researchers at the University of Michigan recently published a report that exposed flaws in the security of Samsung's SmartThings. The SmartThings system supports a wide range of devices, including door locks, fire alarms and motion sensors. The researchers discovered that more than 55 percent of SmartThings apps (the apps required to handle connected devices) are "over-privileged." This means that they have full access to connected devices, even if they only need limited access. These SmartApps, as they're called, also do not protect events that carry sensitive information, such as lock codes, according to the researchers.
During experimentation, the researchers exposed common vulnerabilities within SmartThings, and were able to successfully steal lock pin-codes. Additionally, they could disable a vacation mode SmartApp and cause fake fire alarms, all without physical access to the home.
The researchers said that they identified their findings to SmartThings on Dec. 17, 2015. As of Jan. 12, 2016, the SmartThings internal team is supposedly working on strengthening OAuth tokens. Samsung has said that it conducts app reviews to prevent malicious apps from reaching end-users, but the study authors do not believe these efforts are enough.
Update: SmartThings published a blog on May 2, specifying that its research team has implemented a number of security updates that address potential vulnerabilities. Thus far, SmartThings customers have not reported any attacks as a result of the app approval process it has in place.