Researchers have uncovered two significant design flaws in Samsung SmartThings that could allow attackers to break into users’ homes.
Have you ever wanted to turn your home into a smart home? Well, Samsung SmartThings gives you that ability.
SmartThings is a home monitoring kit consisting of a central hub that connects to a network of cameras, locks, and more. Sensors built into the kit allow a user to remotely manipulate their homes’ windows, doors, lights, and appliances, as well as to monitor for movement inside the home.
Sounds useful, right? It is, but its utility comes at a cost.
A team consisting of researchers from Microsoft and the University of Michigan took it upon themselves to analyze SmartThings’ security design. After analyzing 499 SmartThings apps and 132 device handlers, they arrived at two major findings.
First, the researchers found that most of the apps were overprivileged, or they had access to more processes than they needed in order to perform a given function.
As the team notes on a website hosting their findings:
“We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.”
Second, the platform’s subsystem does not adequately protect events that carry information such as door lock pincodes.
Combining those two design flaws as well as a series of other vulnerabilities they found, the researchers conducted four proof-of-concept attacks demonstrating how malicious actors could compromise users’ security.
The first proof-of-concept was by far the worst. By tricking the user into clicking on a malicious link containing a hidden redirect, the researchers were able to steal the victim’s login tokens. They were in turn able to use those credentials to log into the cloud-based controls for the door-lock app, where they could access all available lock codes or (even worse) set new ones, thereby effectively locking the victim out of their own home.
The researchers were also able to develop POC attacks demonstrating how they could disable vacation mode and induce a fake fire alarm.
According to a paper summarizing their findings, the researchers first disclosed the vulnerabilities to SmartThings back in December.
Since then, SmartThings has responded with a post in which it claims that the vulnerabilities have not affected any customers as a result of the approval processes it has in place. The Samsung-owned company also identifies how it has modified its platform to accept only “published” SmartApps and updates its best practices.
The post does not directly address any of the vulnerabilities found in the researchers’ paper, however.
This is not an instance of a flawed media streamer or a stupid doll that spies on your children.
SmartThings is supposed to protect your home, and these vulnerabilities threaten its ability to do so. With that in mind, users should carefully weigh their decision to connect SmartThings to their home.
Indeed, a standard security system might ultimately be the better, safer option.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.