Researchers from the University of Michigan exposed vulnerabilities in one of the leading Internet of Things (IoT) platforms: Samsung's Smart Home automation system.
According to the team of computer scientists, the vulnerabilities they discovered allowed them to hack Samsung's SmartThings, an open platform for smart homes and IoT consumers.
The SmartThings hub is utilized by third-party developers and customers for connecting smart home gadgets, such as cooking appliances, thermostats, electronic locks and security alarm systems.
The researchers successfully constructed four proof-of-concept attacks that expose Samsung SmartThings' vulnerability. These involved secretly planting door lock codes, stealing existing door lock codes, disabling the vacation mode of the home security system and inducing a fake fire alarm. They also added that the remote attacks could be launched anywhere in the world, thus exposing a household to significant harm.
The researchers created their own static code analysis tools to evaluate SmartThings' security framework, as well as 499 SmartApps and 132 device managers. They found out that the vulnerability in the system is caused by two fundamental weaknesses in SmartThings' design structure: the SmartApps being "overprivileged" and the SmartThings subsystem having insufficient security to protect "events" that store sensitive data such as passwords and lock codes.
The researchers explained that "overprivilege" means that the existing apps are given access to more operations present on the device than what their original features require. A good example is when a battery manager app, which is supposed to be used to read the battery level, is also allowed to control the on/off feature of the same device. Their analysis revealed that 55 percent of SmartApps are overprivileged, while 42 percent are granted privileges they aren't even designed to do.
Perhaps the most alarming part of the vulnerability test was the "backdoor pin code injection attack." The researchers were successful in remotely picking the door lock of users' homes through one of the existing SmartThings apps.
The attack is deployed by launching an HTTPS link that tricks targeted users to authenticate their login information if clicked. Once the username and password are entered and the OAuth token obtained, the information is redirected from SmartThings page to an attacker-controlled site. This vulnerability can now be exploited by hackers to access the locks, pins and other passwords the home users have.
Additionally, the researchers said that by constructing a proof-of-concept app that originally requested privileges to monitor the battery life of a smart home device, they were able to "read commands running on a device." The malicious app managed to peek into the lock codes entered by unsuspecting users in real time, and these codes were sent to an attacker via text message.
"All of the above attacks expose a household to significant harm-break-ins, theft, misinformation and vandalism," the researchers said.
SmartThings officials have taken immediate action to address the vulnerabilities. In a blog post, Tim Slagle, the company's developer advocate, announced that the OAuth mechanism has recently been patched.
