Technology News
English Edition

Samsung SmartThings Vulnerability Lets Attackers Access Your Devices; Fix Released

By Ketan Pratap | Updated: 5 May 2016 19:00 IST
Samsung SmartThings Vulnerability Lets Attackers Access Your Devices; Fix Released
Highlights
  • Researchers reported two design flaws in the SmartThings platform.
  • SmartThings has rolled out fixes for the security vulnerabilities.
  • Samsung bought the home automation startup SmartThings in 2014.
Advertisement
A research team from the University of Michigan and Microsoft Research has discovered a vulnerability in Samsung's SmartThings platform that can allow attackers to perform unauthorised activities through a malicious app. The vulnerability is major considering that it can allow an attacker to control a broad range of personal devices under SmartThings such as motion sensors, fire alarms, and door locks.

SamsungSmartThings however has released number of updates that are claimed to protect SmartThings users against the potential vulnerabilities reported by the research team. "Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place," said Alex Hawkinson Founder and CEO, SmartThings.

In a published report, the researchers explain how they exploited the vulnerability, "SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform."

The report highlighted two design flaws that can allow attackers to take advantage of a privilege problem in SmartApps. First the SmartApp is granted full access to a device even if it just requires only limited access to the device, and secondly SmartThings event subsystem does not sufficiently protect events that carry sensitive information such as lock codes. "Our analysis reveals that over 55 percent of SmartApps in the store are over privileged due to the capabilities being too coarse-grained," added the report.

To check the vulnerability in SmartThings, researchers exploited design flaws and constructed an attack. "Four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks," added the report. The researchers also demonstrated the exploit in a video.

The researchers also conducted a survey with 22 SmartThings users regarding the door lock pin-code snooping attack. "Our survey result suggests that most of our participants have limited understanding of security and privacy risks of the SmartThings platform - over 70 percent of our participants responded that they would be interested in installing a battery monitoring app and would give it access to a door lock. Only 14 percent of our participants reported that the battery monitor SmartApp could perform a door lock pin-code snooping attack," added the report.

Samsung SmartThings acknowledged the team of researchers and adds that it regularly performs security checks of its SmartThings system and also engages with professional third-party security experts to find any potential vulnerabilities in the platform.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Samsung, Samsung SmartThings, Security Flaw, SmartThings, Vulnerability
Ketan Pratap
Ketan Pratap
Ketan Pratap is the editor at Gadgets 360 - with over 12 years of experience covering the technology domain. With a breadth and depth of knowledge in the field, he's done extensive work across news, features, reviews, and opinion pieces. But what's truly inspiring about Ketan is how he spends his free time. He's often found gazing at snow-capped mountains from over 20,000 feet while sitting on the hood of his car, taking in the breathtaking beauty of nature. His passion for the great ...More
Google Keyboard for Android Gets One-Handed Mode and More
Uncharted 4 Release Highlights Sony's Problems in India

Related Stories

Samsung SmartThings Vulnerability Lets Attackers Access Your Devices; Fix Released
Comment
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. OnePlus Pad 2 Price in India Discounted for Limited Time: See New Price
  2. Realme GT 7 Pro With Snapdragon 8 Elite SoC, 6,500mAh Battery Launched
  3. Infinix XPad Review
  4. Upcoming Electric Scooters in India: Activa EV, TVS Jupiter EV, and More
  5. Bringing the Sun's Goodness into Your Home: Voltas Beko Refrigerators with Harvest Fresh Technology
  6. Oppo Reno 13 Series Launch Date, Key Specifications Tipped
  7. Samsung Galaxy S25 Series May Bring Support for Seamless Software Updates
  8. Xiaomi 15 Ultra Camera Details Tipped; Could Get 50-Megapixel Main Camera 
  9. X's Updated Block Feature Will Let Blocked Users See Your Posts, Followers
#Latest Stories
  1. Samsung Galaxy S25 Series Cases Leak, Hinting Towards Design Tweaks on Ultra Model
  2. Find Balance Between Convenience, Security: Binance CTO Rohit Wad to Web3 App Makers
  3. Upcoming Electric Scooters in India: Honda Activa EV, TVS Jupiter EV, and More
  4. Ramanaa, a Popular Tamil Classic Movie, Now Available for Streaming on Sun NXT
  5. Ajayante Randam Moshanam to Premiere on Disney+ Hotstar on November 8
  6. Mothers of Penguins OTT Release Date: Netflix's Upcoming Polish Comedy Drama to be Available on This Date
  7. Despicable Me 4 OTT Release Date: When and Where to Watch it Online?
  8. Creata EV Roundup: Expected Launch Timeline, Features, Powertrain, and More
  9. Meet Hang Son Doong: The World’s Largest Cave with Jungles, Stalagmites, and a Hidden River
  10. Apple's Affordable Vision Pro Delayed Beyond 2027, to Get an M5 Upgrade Next Year: Ming-Chi Kuo
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »