Samsung SmartThings Platform Latest To Highlight Internet Of Things Security Is A Joke

from the just-buy-a-dog dept

Tue, May 3rd 2016 6:27am — Karl Bode

Stop us if you've heard this one before: a new study has found that the "Internet of Things" may bring some added convenience, but at the high price of severe security vulnerabilities. Researchers at the University of Michigan say they've uncovered (pdf) some major new vulnerabilities in Samsung's SmartThings platform that could allow an attacker to unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode. Researchers say this can be done by tricking users into either installing a malicious app from the SmartThings store, or by clicking a malicious link.

The URL attack relies on SmartThings' flawed implementation of the OAuth authentication protocol. In short, a malicious URL can be used to trick the consumer into giving up his login tokens without the slightest indication anything has gone wrong, but providing an attacker with the ability to create his own backdoor -- into your front door:

"Broadly, this part of the attack involves getting a victim to click on a link that points to the authentic SmartThings domain with only the redirect_uri portion of the link replaced with an attacker controlled domain. The victim should not suspect anything since the URL indeed takes the victim to the genuine HTTPS login page of SmartThings. Once the victim logs in to the real SmartThings Web page, SmartThings automatically redirects to the specified redirect URI with a 6 character codeword. At this point, the attacker can complete the OAuth flow using the codeword and the client ID and secret pair obtained from the third-party app’s bytecode independently."

If the malicious URL approach isn't used, attackers can also rely on tricking consumers into downloading a malicious app that -- for example -- might claim to offer you insight into device battery consumption, but can actually also give an attacker the keys to your kingdom. This is in part, the researchers note, due to the fact that 42% of over 500 apps in the SmartThings store are are given significantly more system privileges than they actually need to accomplish the task at hand:

"We found that SmartApps were significantly overprivileged: (a) 55% of SmartApps did not use all the rights to device operations that their requested capabilities implied; and (b) 42% of SmartApps were granted capabilities that were not explicitly requested or used. In many of these cases, overprivilege was unavoidable, due to the device-level authorization design of the capability model and occurred through no fault of the developer. Worryingly, we have observed that 68 existing SmartApps are already taking advantage of the overprivilege to provide extra features, without requesting the relevant capabilities.

As is pretty standard behavior in the Internet of Things space, Samsung was quick to downplay the problems in a statement to the media and throw developers under the bus (despite the report clearly outlining Samsung's responsibility):

"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings representative said. "Following this report, we have updated our documented best practices to provide even better security guidance to developers."

The problem is the report clearly notes that neither of these two scenarios is all that unlikely. In an admittedly small survey of 22 SmartThings users, the study found that 91% would let a battery monitoring app check the status of their smart lock. But quite justly, just 14% of those polled believed that providing such access would somehow involve the app being able to send door access codes to a remote server. The study, and Samsung's reaction to it, are just another example of how if you really want a smart and secure home, "dumber" solutions -- like dead bolts and a dog -- remain the more intelligent option.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacking, internet of things, security, smartthings
Companies: samsung

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 3 May 2016 @ 6:57am

I've not seen anyone actually use any IoT device nor talk of using one for their home nor mention even wanting one.

Who actually buys these voyeuristic devices?
[ link to this | view in chronology ]
- Anonymous Coward, 3 May 2016 @ 7:10am
  
  Re:
  ...especially for the front door!
  [ link to this | view in chronology ]
- Anonymous Coward, 3 May 2016 @ 8:10am
  
  Re:
  I can see certain appeal in it but currently I will wait for a later generation. Looking at it from an economical point of view, I wouldn't mind having smart power outlets that let me know what is consuming power. Also have the ability to manage the power of those outlets so I can schedule them. The other part I wouldn't mind having is if my alarms could trigger my phone. Either way, when I do decide to make the jump, it will probably be something that is opensource.
  [ link to this | view in chronology ]
- Anonymous Coward, 3 May 2016 @ 8:17am
  
  Response to: Anonymous Coward on May 3rd, 2016 @ 6:57am
  You won't see them hanging around a tech blog. Talk to a cable tech or tech support operator. A tech can keep me occupied telling me stories of people with smart coffee makers, ovens fridges and now everyone is getting into security systems. No one asks about security.
  [ link to this | view in chronology ]
- Derek Kerton (profile), 3 May 2016 @ 9:35am
  
  Re:
  "Who actually buys these voyeuristic devices?"
  
  I do.
  
  And, I've solved two robberies with them, and one liability question. One a motorcycle next door where I could identify the vehicle. For liability, a dump truck cut cables by mistake, and I could identify the company from the logo on the door.
  
  Both of those are camera functions, though. In my main home, My Smartthings setup is relegated to control of lights.
  
  But at a lake house in Canada, I connected a door lock too. I use the IoT features to alert me when the front door is unlocked, to program door codes, and to operate the HVAC.
  
  This allows my family to save lots of money by lowering the thermostat way down in the winter, but activate the heater prior to going to the house. We use water sensors and cameras to alert us to potential ice and flood damage at lake level, and in the house.
  
  The remote programming of the door locks allows us to give service personnel temporary access by programming a code for them that we promptly erase. By using IoT, NOBODY ever gets a key they can copy, nor a hiding spot for a physical key. This increases our safety.
  
  Thus in my total experience, IoT has increased my safety, lowered my energy use, and solved two crimes and one liability.
  
  I agree entirely with the uMich engineers in the video, however, there are benefits as well as costs of an IoT home. I have to weigh the security costs against these benefits, and in the end, I'm pretty sure the IoT smarthome is worth it.
  
  One way to use these tools, but not be too exposed to risk is to silo them a little - that is, don't connect your light control system to your door locks. Don't install too many external apps, and to generally protect your home LAN with a good firewall.
  
  Foscam cameras, for example, were known to have been hacked. If they were on the Internet, hackers could port sniff, find the cam, and view it. But if you had all your cams behind a gateway with a good firewall, you would be safe. Or even if you just password protect your cams beyond defaults.
  
  Anyway, I don't kid myself that I'm not hackable. Everything is. But I try to make it hard, and I weigh the cost/benefit of the IoT.
  [ link to this | view in chronology ]
  - Anonymous Coward, 3 May 2016 @ 12:15pm
    
    Re: Re:
    Thus in my total experience, IoT has increased my safety, lowered my energy use, and solved two crimes and one liability.
    
    All of which could have been done without IoT.
    
    I weigh the cost/benefit of the IoT.
    
    I think your thumb is on the scales. You seem to be giving it credit that it doesn't deserve while downplaying the risks.
    [ link to this | view in chronology ]
    - Derek Kerton (profile), 5 May 2016 @ 11:02am
      
      Re: Re: Re:
      I can't see anywhere where I "downplay risks". I merely say that uMich's assertion of "There are risks, so don't do it" negates a well-thought cost/benefit analysis. It also doesn't discuss some simple measures that can reduce that risk.
      
      There absolutely are benefits that must be considered.
      
      Also, the uMich risks are overstated. You see, hackers are scary because they can be anywhere in the world and attack your digital assets...but to go in your front door, thieves need to be physically present and risk physical arrest. But once they are physically present...
      
      ...what is the easier way to enter an IoT locked home? Hack the users phone to get at the user's IoT SmartThings base to hack the user's smartlock, or...ah...just break a window?
      [ link to this | view in chronology ]
Ninja (profile), 3 May 2016 @ 8:22am

As long as these things remain insecure (and it seems they will for a long time) and I'm not in full control of them (ie: they don't snoop on my activity) I'll keep things as dumb as possible. This IoT thing can wait.
[ link to this | view in chronology ]
- velox (profile), 3 May 2016 @ 8:30am
  
  Re:
  *** THIS ***
  [ link to this | view in chronology ]
- Anonymous Coward, 3 May 2016 @ 8:56am
  
  Re:
  Really? It's the insecurity that bothers you more than the core business model of ubiquitous voyeurism?
  [ link to this | view in chronology ]
  - Anonymous Coward, 3 May 2016 @ 9:39am
    
    Re: Re:
    Unclear on how turning a light on and kicking the teprature to where you want it when your house notices that the phone in your pocket logged onto the wifi network is somehow
    "the compulsion to seek sexual gratification by secretively looking at sexual objects or acts"
    
    but you do you buddy, you do you.
    [ link to this | view in chronology ]
  - Ninja (profile), 3 May 2016 @ 12:49pm
    
    Re: Re:
    I'm not in full control of them (ie: they don't snoop on my activity)
    
    See?
    
    You can always build intelligent systems. There's plenty of ways to do it but I'm not that savvy.
    [ link to this | view in chronology ]
  - John Fenderson (profile), 5 May 2016 @ 6:05am
    
    Re: Re:
    The core business model of spying is a huge part of the insecurity.
    [ link to this | view in chronology ]
AricTheRed (profile), 3 May 2016 @ 8:53am

Better living through Surveillance!
Enjoy...

Samsung's SmartThings platform!

Now with FBiOS!

"So we can back-door your front door, and your thermostat too!"

The honorable James Comey

Director, Federal Bureau of Intrusion
[ link to this | view in chronology ]
- Anonymous Coward, 3 May 2016 @ 9:46am
  
  Re: Better living through Surveillance!
  The more we wire up the things in our lives, the more we will be spied on by corporations and the government, who quite possibly are one and the same.
  [ link to this | view in chronology ]
isma'il, 3 May 2016 @ 8:58am

This isn't all that surprising
Coming from Samsung, the company that had security issues with quite a few of their own branded apps on their smartphones. Is it really all that surprising that the same problems would crop up again, only this time with their IoT app? Not to champion Apple over Samsung (Apple has their fair share of problems too), but it seems as if Samsung only cares about their users insofar as being beta testers. Their modus operandii, for a long time, has been, "We have your money, now go f*%k off."
[ link to this | view in chronology ]
Anonymous Coward, 3 May 2016 @ 9:06am

I've implemented OAuth (2.0) on web service back ends and clients before. The security tokens used by this protocol MUST be kept confidential. If the token is leaked, it can be used to gain the same privileges as the intended user. It's a known and well documented problem that OAuth security can be compromised quite easily by a poorly written client if it divulges the token somehow. Samsung is technically correct, their is nothing wrong with OAuth (it's used all over the place online) but with the bad client (device) side implementation.
[ link to this | view in chronology ]
DannyB (profile), 3 May 2016 @ 9:06am

This is NOT a joke
This is private industry boldly innovating and pro-actively complying with the government's dream wish list of features.

Ability to look into your home, for your security.

Ability to monitor all your communications, for your safety.

Ability to get into your house without 'breaking' doors or locks, to save from expensive repairs.

the psi corps
is your friend
trust the corps
[ link to this | view in chronology ]
Anonymous Coward, 3 May 2016 @ 10:23am

I own and use SmartThings devices in my home. I use the system for convenience, not security. If someone wants to break in my home, smashing some glass is far more likely a threat than a breach to the SmartThings hub. Pure security theater.

The attack vector described (install a malicious app / click a malicious link) still requires an inattentive human to take an action to trigger the exploit. A human has to make a bad decision to allow the system to be breached. I find nothing new or exciting about that.
[ link to this | view in chronology ]
- velox (profile), 3 May 2016 @ 10:59am
  
  Re:
  There would be a major difference between IoT associated theft and smashing windows. Broken windows attract the neighbors' attention, and when you get home you immediately know there was a break-in.
  Consider if you have IoT devices which may or may not have a backdoor accessible to thieves. If something goes missing in your home, and let's say it's jewelry or a watch, and not something obvious like your TV, are you going to first suspect you misplaced it, or would you suspect a break-in. Are you now going to start checking your surveillance cameras every time you can't find something. If you don't trust your front door lock, are you going to trust your surveillance camera? There have been back doors reported in those as well.
  [ link to this | view in chronology ]
Anonymous Coward, 3 May 2016 @ 1:27pm

The real defination of IoT
The insecurity of things, because that is truly real.
[ link to this | view in chronology ]
Null (profile), 3 May 2016 @ 3:27pm

Surveillance
Marketed
As
Revolutionary
Technology
[ link to this | view in chronology ]
CharlieBrown, 3 May 2016 @ 7:24pm

We don't use Samsung, We use LG
We use LG for our TV, our fridge, our washing machine, our PVR even. What do all of these devices have in common? None of them connect to the internet! That's the way I like it. I don't think LG is better than Samsung, I just wanted you to think that with the topic title. Most of these things were rent-to-buy things anyway.
[ link to this | view in chronology ]
Anonymous Coward, 9 May 2016 @ 10:14am

The current Internet is a joke.
[ link to this | view in chronology ]