Samsung SmartThings Platform Latest To Highlight Internet Of Things Security Is A Joke
from the just-buy-a-dog dept
The URL attack relies on SmartThings' flawed implementation of the OAuth authentication protocol. In short, a malicious URL can be used to trick the consumer into giving up his login tokens without the slightest indication anything has gone wrong, but providing an attacker with the ability to create his own backdoor -- into your front door:
"Broadly, this part of the attack involves getting a victim to click on a link that points to the authentic SmartThings domain with only the redirect_uri portion of the link replaced with an attacker controlled domain. The victim should not suspect anything since the URL indeed takes the victim to the genuine HTTPS login page of SmartThings. Once the victim logs in to the real SmartThings Web page, SmartThings automatically redirects to the specified redirect URI with a 6 character codeword. At this point, the attacker can complete the OAuth flow using the codeword and the client ID and secret pair obtained from the third-party app’s bytecode independently."If the malicious URL approach isn't used, attackers can also rely on tricking consumers into downloading a malicious app that -- for example -- might claim to offer you insight into device battery consumption, but can actually also give an attacker the keys to your kingdom. This is in part, the researchers note, due to the fact that 42% of over 500 apps in the SmartThings store are are given significantly more system privileges than they actually need to accomplish the task at hand:
"We found that SmartApps were significantly overprivileged: (a) 55% of SmartApps did not use all the rights to device operations that their requested capabilities implied; and (b) 42% of SmartApps were granted capabilities that were not explicitly requested or used. In many of these cases, overprivilege was unavoidable, due to the device-level authorization design of the capability model and occurred through no fault of the developer. Worryingly, we have observed that 68 existing SmartApps are already taking advantage of the overprivilege to provide extra features, without requesting the relevant capabilities.As is pretty standard behavior in the Internet of Things space, Samsung was quick to downplay the problems in a statement to the media and throw developers under the bus (despite the report clearly outlining Samsung's responsibility):
"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings representative said. "Following this report, we have updated our documented best practices to provide even better security guidance to developers."The problem is the report clearly notes that neither of these two scenarios is all that unlikely. In an admittedly small survey of 22 SmartThings users, the study found that 91% would let a battery monitoring app check the status of their smart lock. But quite justly, just 14% of those polled believed that providing such access would somehow involve the app being able to send door access codes to a remote server. The study, and Samsung's reaction to it, are just another example of how if you really want a smart and secure home, "dumber" solutions -- like dead bolts and a dog -- remain the more intelligent option.