Samsung SmartThings Vulnerability Lets Attackers Access Your Devices; Fix Released

Samsung SmartThings Vulnerability Lets Attackers Access Your Devices; Fix Released
Highlights
  • Researchers reported two design flaws in the SmartThings platform.
  • SmartThings has rolled out fixes for the security vulnerabilities.
  • Samsung bought the home automation startup SmartThings in 2014.
Advertisement
A research team from the University of Michigan and Microsoft Research has discovered a vulnerability in Samsung's SmartThings platform that can allow attackers to perform unauthorised activities through a malicious app. The vulnerability is major considering that it can allow an attacker to control a broad range of personal devices under SmartThings such as motion sensors, fire alarms, and door locks.

SamsungSmartThings however has released number of updates that are claimed to protect SmartThings users against the potential vulnerabilities reported by the research team. "Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place," said Alex Hawkinson Founder and CEO, SmartThings.

In a published report, the researchers explain how they exploited the vulnerability, "SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform."

The report highlighted two design flaws that can allow attackers to take advantage of a privilege problem in SmartApps. First the SmartApp is granted full access to a device even if it just requires only limited access to the device, and secondly SmartThings event subsystem does not sufficiently protect events that carry sensitive information such as lock codes. "Our analysis reveals that over 55 percent of SmartApps in the store are over privileged due to the capabilities being too coarse-grained," added the report.

To check the vulnerability in SmartThings, researchers exploited design flaws and constructed an attack. "Four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks," added the report. The researchers also demonstrated the exploit in a video.

The researchers also conducted a survey with 22 SmartThings users regarding the door lock pin-code snooping attack. "Our survey result suggests that most of our participants have limited understanding of security and privacy risks of the SmartThings platform - over 70 percent of our participants responded that they would be interested in installing a battery monitoring app and would give it access to a door lock. Only 14 percent of our participants reported that the battery monitor SmartApp could perform a door lock pin-code snooping attack," added the report.

Samsung SmartThings acknowledged the team of researchers and adds that it regularly performs security checks of its SmartThings system and also engages with professional third-party security experts to find any potential vulnerabilities in the platform.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Ketan Pratap
Ketan Pratap is the editor at Gadgets 360 - with over 12 years of experience covering the technology domain. With a breadth and depth of knowledge in the field, he's done extensive work across news, features, reviews, and opinion pieces. But what's truly inspiring about Ketan is how he spends his free time. He's often found gazing at snow-capped mountains from over 20,000 feet while sitting on the hood of his car, taking in the breathtaking beauty of nature. His passion for the great ...More
Google Keyboard for Android Gets One-Handed Mode and More
Uncharted 4 Release Highlights Sony's Problems in India
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News
 
 

Advertisement

Follow Us

Advertisement

© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »