Researchers have managed to exploit design flaws in the Samsung SmartThings smart home programming platform and successfully mount a series of attacks that could result in smart homes being entered, burglarized, and generally made insecure by attackers via malicious apps.
Setting up a Samsung SmartThings hubs allows users to buy a number of devices such as fire alarms, motion sensors, cameras, thermostats, smart door locks, smart kitchen appliances, and so on and connect them all together to the hub. These devices can then be controlled remotely via SmartThings apps (SmartApps) – either the official one or third party apps.
There are other smart home programming frameworks that support third party app development, but SmartThings is currently the on that has the largest number of apps made available by third party developers, and that’s why the group of researchers from University of Michigan and from Microsoft chose to analyze it for weaknesses.
They did so by performing a static source code analysis of 499 SmartApps and 132 device handlers. They discovered many undocumented features of the platform, and critical design flaws.
“First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps,” they noted. “Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes.”
By exploiting these flaws, they managed to demonstrate how an attacker could steal existing door lock codes or set up new ones known only to him, as well as disable the “vacation mode” of the smart home, and trigger the fire alarm when no danger of fire exists.
The researchers shared their findings with Samsung, and they said that they will fix the issues.
“SmartThings has a dedicated team responsible for reviewing any existing and new SmartApps. Our immediate mitigation is to have this team analyze already published and new applications alike to detect any behavior that exposes HTTP endpoints and ensure that every method name passed thru HTTP requests are not invoked dynamically,” the SmartThings security team told the researchers last month.
“Our team members also now examine all web services endpoints to ensure that these are benign in their operation. SmartThings continues its effort to enhance the principle of least privilege by limiting the scope of valid access to only those areas explicitly needed to perform any given authorized action. Moreover, it is our intention to update our internal and publicly available documentation to formalize and enforce this practice using administrative means.”
In a recent announcement following the release of the research, ounder and CEO of SmartThings Alex Hawkinson made sure to note that “the report discloses hypothetical vulnerabilities in the SmartThings platform and demonstrates how, under certain circumstances, they could be exploited.”
“It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place. Over the past several weeks, we have been working with this research team and have also already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report,” he pointed out, adding that of course, code downloaded from an untrusted source can present a potential risk.
For more details about the research and demonstrations of the attacks, check out this website set up by the researchers.