Security researchers from the University of Michigan have discovered multiple flaws affecting the Samsung Smart Home automation system that could be exploited by remote attackers for several attacks, including making keys for connecting front door locks.
The experts evaluated the platform’s security design and coupled that with the analysis of 499 SmartThings apps (aka SmartApps) and 132 device handlers using static code analysis tools that we built.
SmartThings implement a privilege separation model, but two intrinsic design flaws lead to significant overprivilege in SmartApps.
The SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes.
“Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device.” the researchers wrote in a paper “Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes.”
In the second attack scenario, the researchers exploited a design flaw in the SmartThings framework by creating a proof-of-concept app that requested only privileges to monitor the battery reserves, but that in reality was able to steal the lock codes from the devices.
The experts devised several proof-of-concept exploits including the ones against the Samsung SmartThings IoT platform.
The exploits leverage on two design flaws in the SmartThings framework. The key findings of the analysis are:
“All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism,” added the researchers. “The attack vectors are not specific to a particular device and are broadly applicable.”
The researchers published the following proof-of-concept attacks:
The most dangerous attack was dubbed by researchers “backdoor pin code injection attack,” it consists of a remote lock-picking attack that could give hackers access to users’ homes.
The attacked can send to the victim a specifically crafted HTTPS link in order to obtain the OAuth token that the app and SmartThings platform relied on to authenticate the users.
When the victim provided his credentials, a flaw in the app allowed the link to redirect them to a website managed by the hackers, the attackers operate on behalf of the victim.So far, Samsung has provided no details on plans to fix it.
At the time I was writing, Samsung hasn’t planned yet to fix the issues in the Smart Home automation system.
Anyway, users should think twice before connecting critical components to such kind of platforms.
(Security Affairs – IoT, Samsung Smart Home automation system)