Samsung has said there's nothing for owners of its SmartThings home security gear to worry about – after researchers showed numerous ways to commandeer devices and disable locks.
The three researchers from the University of Michigan, who were partially sponsored by Microsoft, have demonstrated that with the help of malicious apps, electronically activated door locks can be opened, alarms set off, and settings fiddled with for smartish homes – all remotely.
The research, to be presented at the Proceedings of 37th IEEE Symposium on Security and Privacy later this month, looked at SmartThings because it has the largest third-party app ecosystem and covered a wide range of home automation products.
Essentially, owners of Samsung SmartThings Hubs can buy gadgets like motion sensors, water leak sensors, remote-controlled power outlets, coffee makers and door locks, and wirelessly connect the gizmos to their hub. These devices are then controlled via SmartApps, which are little widgets that run on your smartphone and are installed via Samsung's SmartThings app for iOS, Android and Windows Phone.
It was found that these individual SmartApps can wield quite a lot of power, far more than they should over a home's equipment. They can control hardware completely unlike the gadgets they should be managing. Samsung claims it would never allow a malicious SmartApp to appear in its SmartThings market place.
"Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires," they said.
"Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock PIN codes."
The researchers found that 55 per cent of SmartThings apps ask for the access rights to many more SmartThings devices than is needed. In one of the demonstrated hacks, a SmartThings device battery monitoring app could be used to reset a programmable door lock, potentially granting a miscreant easy access to a victim's home.
In addition, 42 per cent of apps can gain extra access to SmartThings functions without ever asking the user for permission. In another example, the team showed off how to set off a false carbon monoxide alert after writing a malicious SmartApp that impersonated the gas detector.
The code to carry out these hacks is now up on GitHub but those with a larcenous bent can forget about using it in real world attacks: the firm has fixed the issues that allow the mischievous apps to work. Samsung SmartThings told The Reg that the researchers involved had been in contact well before publication of their findings, and the chaebol has fixed the issues.
"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings spokeswoman said.
"Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp."
That the IoT industry is woefully bad at security is nothing new – we've been covering these stories for years now. At least SmartThings isn’t as egregious as the SimpliSafe "smart" alarm system, which can be hacked without having to install malicious apps and seems to be unfixable.
But it does show that – for all the warnings – things aren't improving fast enough and relying on simple mechanical locks and unconnected alarm systems could be the way forward for the time being. ®