With so many varieties of smart home systems on the market today, which one should you choose? Unfortunately though, even the leading brands are susceptible to security breaches.
Cybersecurity researchers at the University of Michigan were able to hack into Samsung's SmartThings, a top-selling Internet of Things platform. In doing so, they were able to acquire the PIN code to a home's front door.
The University of Michigan team’s “lock-pick malware app" was one of four attacks conducted as part of an experiment. The work is believed to be the first platform-wide study of a real-world connected home system.
"At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective," said Atul Prakash, University of Michigan professor of computer science and engineering. "I would say it's okay to use as a hobby right now, but I wouldn't use it where security is paramount."
After conducting their hacking experiments, which produced less than favorable results, the team agreed that using these kinds of systems for minor actions like adjusting window shades is probably safe, but anything that requires secure control should be questioned.
Samsung’s SmartThings now works with an accompanying Android app that allows users to maange connected home devices remotely. The app, which has been downloaded over 100,000 times allows third-party developers to contribute SmartApps that run in the platform's cloud and let users customize functions.
The researchers demonstrated how SmartApp could be used to eavesdrop on someone setting a new PIN code for a door lock. The PIN was sent via text message to a potential hacker and the SmartApp, which they called a "lock-pick malware app" was disguised as a battery level monitor and only expressed the need for that capability in its code.
To further demonstrate this hack, they showed that an existing, highly rated SmartApp could be remotely exploited to virtually make a spare door key by programming an additional PIN into the electronic lock. The exploited SmartApp was not originally designed to program PIN codes into locks.
Additional demonstrations included using SmartApp to turn off "vacation mode" in a separate app that is responsible for timing of lights, blinds, etc., to help secure the home and using false messages to jolt the fire alarm when people are away. This was possible because the platform’s "event subsystem”-- the stream of messages devices generates as they're programmed-- is insecure. This made it possible for the cybersecurity team to inject inaccurate events to trick devices. That's how they managed to access the fire alarm and flipped the switch on vacation mode.
The security loopholes the researchers discovered fall into a few categories, and are made possible due to allowing too much access to devices in its SmartApps platform. More than 40% of the nearly 500 apps they examined were granted capabilities the developers did not specify in their code, which is how the researchers were able to eavesdrop on setting lock PIN codes.
"The access SmartThings grants by default is at a full device level, rather than any narrower," said Prakash. "As an analogy, say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets."
And if that wasn’t enough, the researchers also found that it is possible for app developers to deploy an authentication method called OAuth incorrectly. This flaw, in combination with SmartApps being over-privileged, allowed the hackers to program their own PIN code into the lock and create their own secret spare key.
"The bottom line is that it's not easy to secure these systems" said Prakash. "There are multiple layers in the software stack and we found vulnerabilities across them, making fixes difficult."
The University of Michigan researchers revealed their findings to SmartThings in December 2015 and the company is working on fixes. The researchers re-checked a few weeks ago to see if a lock's PIN code could still be snooped and reprogrammed by a potential hacker, and it still could.
According to SmartThings, they're looking for long-term solutions to address the vulnerabilities and analyzing their apps at this time, in addition to other steps.
Watch the U-M video for a demonstration.
Story via University of Michigan.