ANN ARBOR, Mich. — Researchers at the University of Michigan and Microsoft Research describe how Samsung’s SmartThings home automation platform is potentially vulnerable to hackers in a new report that is being presented this month at the IEEE Symposium on Security and Privacy.
Specifically, the researchers focused on the potentially susceptible “over-privilege” of SmartThings apps, which allows access to more functions than are necessary to operate the system. For example, an app that only needs access to a door lock’s battery level might also have access to the device’s on/off switch.
According to the study, titled “Security Analysis of Emerging Smart Home Applications,” 55% of the platform’s smart apps are over-privileged.
Although a user determines which smart devices to work with the SmartThings platform, the researchers found that the system does not present enough information about all the device capabilities the system can access once it becomes a part of the platform. “The SmartApp gains access to all commands and attributes of all the capabilities implemented by the device handlers of the selected devices,” according to the paper.
In the video above, researchers demonstrate how they were able to execute four successful proof-of-concept hacks by creating malicious apps. The hacks allow the researchers to open electronic locks, change a smart home’s “vacation” settings, and trigger a fire alarm with false messages.
“Say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets,” Atul Prakash, one of the researchers on the project, explains.
In a blog post on the SmartThings Web site, the company stated it has been working with the research team and has already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report.
“It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place,” Alex Hawkinson, founder and CEO of SmartThings, states in the blog.