Samsung SmartThings Platform Latest To Highlight Internet Of Things Security Is A Joke
from the just-buy-a-dog dept
Stop us if you've heard this one before: a new study has found that the "Internet of Things" may bring some added convenience, but at the high price of severe security vulnerabilities. Researchers at the University of Michigan say they've uncovered (pdf) some major new vulnerabilities in Samsung's SmartThings platform that could allow an attacker to unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode. Researchers say this can be done by tricking users into either installing a malicious app from the SmartThings store, or by clicking a malicious link.The URL attack relies on SmartThings' flawed implementation of the OAuth authentication protocol. In short, a malicious URL can be used to trick the consumer into giving up his login tokens without the slightest indication anything has gone wrong, but providing an attacker with the ability to create his own backdoor -- into your front door:
"Broadly, this part of the attack involves getting a victim to click on a link that points to the authentic SmartThings domain with only the redirect_uri portion of the link replaced with an attacker controlled domain. The victim should not suspect anything since the URL indeed takes the victim to the genuine HTTPS login page of SmartThings. Once the victim logs in to the real SmartThings Web page, SmartThings automatically redirects to the specified redirect URI with a 6 character codeword. At this point, the attacker can complete the OAuth flow using the codeword and the client ID and secret pair obtained from the third-party app’s bytecode independently."If the malicious URL approach isn't used, attackers can also rely on tricking consumers into downloading a malicious app that -- for example -- might claim to offer you insight into device battery consumption, but can actually also give an attacker the keys to your kingdom. This is in part, the researchers note, due to the fact that 42% of over 500 apps in the SmartThings store are are given significantly more system privileges than they actually need to accomplish the task at hand:
"We found that SmartApps were significantly overprivileged: (a) 55% of SmartApps did not use all the rights to device operations that their requested capabilities implied; and (b) 42% of SmartApps were granted capabilities that were not explicitly requested or used. In many of these cases, overprivilege was unavoidable, due to the device-level authorization design of the capability model and occurred through no fault of the developer. Worryingly, we have observed that 68 existing SmartApps are already taking advantage of the overprivilege to provide extra features, without requesting the relevant capabilities.As is pretty standard behavior in the Internet of Things space, Samsung was quick to downplay the problems in a statement to the media and throw developers under the bus (despite the report clearly outlining Samsung's responsibility):
"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings representative said. "Following this report, we have updated our documented best practices to provide even better security guidance to developers."The problem is the report clearly notes that neither of these two scenarios is all that unlikely. In an admittedly small survey of 22 SmartThings users, the study found that 91% would let a battery monitoring app check the status of their smart lock. But quite justly, just 14% of those polled believed that providing such access would somehow involve the app being able to send door access codes to a remote server. The study, and Samsung's reaction to it, are just another example of how if you really want a smart and secure home, "dumber" solutions -- like dead bolts and a dog -- remain the more intelligent option.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, internet of things, security, smartthings
Companies: samsung
Reader Comments
Subscribe: RSS
View by: Time | Thread
Who actually buys these voyeuristic devices?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Response to: Anonymous Coward on May 3rd, 2016 @ 6:57am
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Better living through Surveillance!
Samsung's SmartThings platform!
Now with FBiOS!
"So we can back-door your front door, and your thermostat too!"
The honorable James Comey
Director, Federal Bureau of Intrusion
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
This isn't all that surprising
[ link to this | view in thread ]
[ link to this | view in thread ]
This is NOT a joke
Ability to look into your home, for your security.
Ability to monitor all your communications, for your safety.
Ability to get into your house without 'breaking' doors or locks, to save from expensive repairs.
the psi corps
is your friend
trust the corps
[ link to this | view in thread ]
Re:
I do.
And, I've solved two robberies with them, and one liability question. One a motorcycle next door where I could identify the vehicle. For liability, a dump truck cut cables by mistake, and I could identify the company from the logo on the door.
Both of those are camera functions, though. In my main home, My Smartthings setup is relegated to control of lights.
But at a lake house in Canada, I connected a door lock too. I use the IoT features to alert me when the front door is unlocked, to program door codes, and to operate the HVAC.
This allows my family to save lots of money by lowering the thermostat way down in the winter, but activate the heater prior to going to the house. We use water sensors and cameras to alert us to potential ice and flood damage at lake level, and in the house.
The remote programming of the door locks allows us to give service personnel temporary access by programming a code for them that we promptly erase. By using IoT, NOBODY ever gets a key they can copy, nor a hiding spot for a physical key. This increases our safety.
Thus in my total experience, IoT has increased my safety, lowered my energy use, and solved two crimes and one liability.
I agree entirely with the uMich engineers in the video, however, there are benefits as well as costs of an IoT home. I have to weigh the security costs against these benefits, and in the end, I'm pretty sure the IoT smarthome is worth it.
One way to use these tools, but not be too exposed to risk is to silo them a little - that is, don't connect your light control system to your door locks. Don't install too many external apps, and to generally protect your home LAN with a good firewall.
Foscam cameras, for example, were known to have been hacked. If they were on the Internet, hackers could port sniff, find the cam, and view it. But if you had all your cams behind a gateway with a good firewall, you would be safe. Or even if you just password protect your cams beyond defaults.
Anyway, I don't kid myself that I'm not hackable. Everything is. But I try to make it hard, and I weigh the cost/benefit of the IoT.
[ link to this | view in thread ]
Re: Re:
"the compulsion to seek sexual gratification by secretively looking at sexual objects or acts"
but you do you buddy, you do you.
[ link to this | view in thread ]
Re: Better living through Surveillance!
[ link to this | view in thread ]
The attack vector described (install a malicious app / click a malicious link) still requires an inattentive human to take an action to trigger the exploit. A human has to make a bad decision to allow the system to be breached. I find nothing new or exciting about that.
[ link to this | view in thread ]
Re:
Consider if you have IoT devices which may or may not have a backdoor accessible to thieves. If something goes missing in your home, and let's say it's jewelry or a watch, and not something obvious like your TV, are you going to first suspect you misplaced it, or would you suspect a break-in. Are you now going to start checking your surveillance cameras every time you can't find something. If you don't trust your front door lock, are you going to trust your surveillance camera? There have been back doors reported in those as well.
[ link to this | view in thread ]
Re: Re:
All of which could have been done without IoT.
I weigh the cost/benefit of the IoT.
I think your thumb is on the scales. You seem to be giving it credit that it doesn't deserve while downplaying the risks.
[ link to this | view in thread ]
Re: Re:
See?
You can always build intelligent systems. There's plenty of ways to do it but I'm not that savvy.
[ link to this | view in thread ]
The real defination of IoT
[ link to this | view in thread ]
Marketed
As
Revolutionary
Technology
[ link to this | view in thread ]
We don't use Samsung, We use LG
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
There absolutely are benefits that must be considered.
Also, the uMich risks are overstated. You see, hackers are scary because they can be anywhere in the world and attack your digital assets...but to go in your front door, thieves need to be physically present and risk physical arrest. But once they are physically present...
...what is the easier way to enter an IoT locked home? Hack the users phone to get at the user's IoT SmartThings base to hack the user's smartlock, or...ah...just break a window?
[ link to this | view in thread ]
[ link to this | view in thread ]