Cybersecurity researchers at the University of Michigan say they have uncovered security flaws in Samsung’s SmartThings smart home platform, one of which could enable physical access to premises.
In conjunction with Microsoft, the team performed four proof-of-concept attacks on an experimental setup of various SmartThings devices, and found vulnerabilities primarily in relation to the security rights granted to companion apps of the smart home devices tested.
Samsung’s SmartThings app store allows third-party developers to contribute SmartApps that run in the platform’s cloud, lets users customise functions, and currently holds over 500 apps.
The researchers say they were able to use a SmartApp normally used to monitor battery levels to eavesdrop on a user configuring a new PIN code for a smart door lock, and then transmit that PIN via text message to a potential hacker.
Another SmartApp was used to create a virtual spare door key by programming an additional pin into the electronic lock. Again, the app was not originally configured to perform this function.
Less malicious exploits allowed for the disabling of “vacation mode”, thereby allowing control of the timing of lights and blinds, and smart fire alarms could be manually triggered through the transmission of false messages through the apps’ event subsystem.
According to the research team, these exploits are the result of “over-privilege”, meaning companion apps were granted full access to functions its developers did not specify in their code.
Furthermore, the incorrect deployment of OAuth – a commonly used authentication method – allowed for the secondary door lock PIN to be created in conjunction with an over-privileged app.
The research team said they first uncovered these flaws last December and notified Samsung, who advised at the time it would work on fixes.
But a recent check on the state of the PIN code flaw a few weeks ago found it still existed.
“The bottom line is that it’s not easy to secure these systems," University of Michigan professor of computer science and engineering Atul Prakash said in a statement.
"There are multiple layers in the software stack and we found vulnerabilities across them, making fixes difficult.”
The researchers plan to present a paper on their findings, titled “Security Analysis of Emerging Smart Home Applications,” at the IEEE Symposium on Security and Privacy in San Jose, California on May 24.