A research team from the University of Michigan and Microsoft Research has discovered a vulnerability in Samsung's SmartThings platform that can allow attackers to perform unauthorised activities through a malicious app. The vulnerability is major considering that it can allow an attacker to control a broad range of personal devices under SmartThings such as motion sensors, fire alarms, and door locks.
Samsung however has released number of updates that are claimed to protect SmartThings users against the potential vulnerabilities reported by the research team. "Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place," said Alex Hawkinson Founder and CEO, SmartThings.
In a published report, the researchers explain how they exploited the vulnerability, "SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform."
The report highlighted two design flaws that can allow attackers to take advantage of a privilege problem in SmartApps. First the SmartApp is granted full access to a device even if it just requires only limited access to the device, and secondly SmartThings event subsystem does not sufficiently protect events that carry sensitive information such as lock codes. "Our analysis reveals that over 55 percent of SmartApps in the store are over privileged due to the capabilities being too coarse-grained," added the report.
To check the vulnerability in SmartThings, researchers exploited design flaws and constructed an attack. "Four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks," added the report. The researchers also demonstrated the exploit in a video.
The researchers also conducted a survey with 22 SmartThings users regarding the door lock pin-code snooping attack. "Our survey result suggests that most of our participants have limited understanding of security and privacy risks of the SmartThings platform - over 70 percent of our participants responded that they would be interested in installing a battery monitoring app and would give it access to a door lock. Only 14 percent of our participants reported that the battery monitor SmartApp could perform a door lock pin-code snooping attack," added the report.
Samsung acknowledged the team of researchers and adds that it regularly performs security checks of its SmartThings system and also engages with professional third-party security experts to find any potential vulnerabilities in the platform.