;

Serious Security Flaws Found in Samsung SmartThings Platform

Computer scientists have discovered vulnerabilities in Samsung’s smart home automation system that allowed them to carry out a host of remote attacks.

ANN ARBOR, Mich. – Researchers at the University of Michigan and Microsoft Research describe how Samsung’s SmartThings home automation platform is potentially vulnerable to hackers in a new report that is being presented this month at the IEEE Symposium on Security and Privacy.

Specifically, the researchers focused on the potentially susceptible “over-privilege” of SmartThings apps, which allows access to more functions than are necessary to operate the system. For example, an app that only needs access to a door lock’s battery level might also have access to the device’s on/off switch.

According to the study, titled “Security Analysis of Emerging Smart Home Applications,” 55% of the platform’s smart apps are over-privileged.


READ NEXT: How-To Info On Hacking Wireless Alarm Systems Readily Available Online


Although a user determines which smart devices to work with the SmartThings platform, the researchers found that the system does not present enough information about all the device capabilities the system can access once it becomes a part of the platform. “The SmartApp gains access to all commands and attributes of all the capabilities implemented by the device handlers of the selected devices,” according to the paper.

In the video above, researchers demonstrate how they were able to execute four successful proof-of-concept hacks by creating malicious apps. The hacks allow the researchers to open electronic locks, change a smart home’s “vacation” settings, and trigger a fire alarm with false messages.

“Say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets,” Atul Prakash, one of the researchers on the project, explains.

In a blog post on the SmartThings Web site, the company stated it has been working with the research team and has already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report.

“It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place,” Alex Hawkinson, founder and CEO of SmartThings, states in the blog.

About the Author

Contact:

Although Bosch’s name is quite familiar to those in the security industry, his previous experience has been in daily newspaper journalism. Prior to joining SECURITY SALES & INTEGRATION in 2006, he spent 15 years with the Los Angeles Times, where he performed a wide assortment of editorial responsibilities, including feature and metro department assignments as well as content producing for latimes.com. Bosch is a graduate of California State University, Fresno with a degree in Mass Communication & Journalism. In 2007, he successfully completed the National Burglar and Fire Alarm Association’s National Training School coursework to become a Certified Level I Alarm Technician.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!


Get Our Newsletters