Samsung SmartThings Platform Latest To Highlight Internet Of Things Security Is A Joke

from the just-buy-a-dog dept

Stop us if you've heard this one before: a new study has found that the "Internet of Things" may bring some added convenience, but at the high price of severe security vulnerabilities. Researchers at the University of Michigan say they've uncovered (pdf) some major new vulnerabilities in Samsung's SmartThings platform that could allow an attacker to unlock doors, modify home access codes, create false smoke detector alarms, or put security and automation devices into vacation mode. Researchers say this can be done by tricking users into either installing a malicious app from the SmartThings store, or by clicking a malicious link.

The URL attack relies on SmartThings' flawed implementation of the OAuth authentication protocol. In short, a malicious URL can be used to trick the consumer into giving up his login tokens without the slightest indication anything has gone wrong, but providing an attacker with the ability to create his own backdoor -- into your front door:
"Broadly, this part of the attack involves getting a victim to click on a link that points to the authentic SmartThings domain with only the redirect_uri portion of the link replaced with an attacker controlled domain. The victim should not suspect anything since the URL indeed takes the victim to the genuine HTTPS login page of SmartThings. Once the victim logs in to the real SmartThings Web page, SmartThings automatically redirects to the specified redirect URI with a 6 character codeword. At this point, the attacker can complete the OAuth flow using the codeword and the client ID and secret pair obtained from the third-party app’s bytecode independently."
If the malicious URL approach isn't used, attackers can also rely on tricking consumers into downloading a malicious app that -- for example -- might claim to offer you insight into device battery consumption, but can actually also give an attacker the keys to your kingdom. This is in part, the researchers note, due to the fact that 42% of over 500 apps in the SmartThings store are are given significantly more system privileges than they actually need to accomplish the task at hand:
"We found that SmartApps were significantly overprivileged: (a) 55% of SmartApps did not use all the rights to device operations that their requested capabilities implied; and (b) 42% of SmartApps were granted capabilities that were not explicitly requested or used. In many of these cases, overprivilege was unavoidable, due to the device-level authorization design of the capability model and occurred through no fault of the developer. Worryingly, we have observed that 68 existing SmartApps are already taking advantage of the overprivilege to provide extra features, without requesting the relevant capabilities.
As is pretty standard behavior in the Internet of Things space, Samsung was quick to downplay the problems in a statement to the media and throw developers under the bus (despite the report clearly outlining Samsung's responsibility):
"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings representative said. "Following this report, we have updated our documented best practices to provide even better security guidance to developers."
The problem is the report clearly notes that neither of these two scenarios is all that unlikely. In an admittedly small survey of 22 SmartThings users, the study found that 91% would let a battery monitoring app check the status of their smart lock. But quite justly, just 14% of those polled believed that providing such access would somehow involve the app being able to send door access codes to a remote server. The study, and Samsung's reaction to it, are just another example of how if you really want a smart and secure home, "dumber" solutions -- like dead bolts and a dog -- remain the more intelligent option.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 3 May 2016 @ 6:57am

    I've not seen anyone actually use any IoT device nor talk of using one for their home nor mention even wanting one.

    Who actually buys these voyeuristic devices?

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 3 May 2016 @ 7:10am

    Re:

    ...especially for the front door!

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 3 May 2016 @ 8:10am

    Re:

    I can see certain appeal in it but currently I will wait for a later generation. Looking at it from an economical point of view, I wouldn't mind having smart power outlets that let me know what is consuming power. Also have the ability to manage the power of those outlets so I can schedule them. The other part I wouldn't mind having is if my alarms could trigger my phone. Either way, when I do decide to make the jump, it will probably be something that is opensource.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 3 May 2016 @ 8:17am

    Response to: Anonymous Coward on May 3rd, 2016 @ 6:57am

    You won't see them hanging around a tech blog. Talk to a cable tech or tech support operator. A tech can keep me occupied telling me stories of people with smart coffee makers, ovens fridges and now everyone is getting into security systems. No one asks about security.

    reply to this | link to this | view in thread ]

  5. icon
    Ninja (profile), 3 May 2016 @ 8:22am

    As long as these things remain insecure (and it seems they will for a long time) and I'm not in full control of them (ie: they don't snoop on my activity) I'll keep things as dumb as possible. This IoT thing can wait.

    reply to this | link to this | view in thread ]

  6. icon
    velox (profile), 3 May 2016 @ 8:30am

    Re:

    *** THIS ***

    reply to this | link to this | view in thread ]

  7. icon
    AricTheRed (profile), 3 May 2016 @ 8:53am

    Better living through Surveillance!

    Enjoy...

    Samsung's SmartThings platform!

    Now with FBiOS!


    "So we can back-door your front door, and your thermostat too!"

    The honorable James Comey

    Director, Federal Bureau of Intrusion

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 3 May 2016 @ 8:56am

    Re:

    Really? It's the insecurity that bothers you more than the core business model of ubiquitous voyeurism?

    reply to this | link to this | view in thread ]

  9. identicon
    isma'il, 3 May 2016 @ 8:58am

    This isn't all that surprising

    Coming from Samsung, the company that had security issues with quite a few of their own branded apps on their smartphones. Is it really all that surprising that the same problems would crop up again, only this time with their IoT app? Not to champion Apple over Samsung (Apple has their fair share of problems too), but it seems as if Samsung only cares about their users insofar as being beta testers. Their modus operandii, for a long time, has been, "We have your money, now go f*%k off."

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 3 May 2016 @ 9:06am

    I've implemented OAuth (2.0) on web service back ends and clients before. The security tokens used by this protocol MUST be kept confidential. If the token is leaked, it can be used to gain the same privileges as the intended user. It's a known and well documented problem that OAuth security can be compromised quite easily by a poorly written client if it divulges the token somehow. Samsung is technically correct, their is nothing wrong with OAuth (it's used all over the place online) but with the bad client (device) side implementation.

    reply to this | link to this | view in thread ]

  11. icon
    DannyB (profile), 3 May 2016 @ 9:06am

    This is NOT a joke

    This is private industry boldly innovating and pro-actively complying with the government's dream wish list of features.

    Ability to look into your home, for your security.

    Ability to monitor all your communications, for your safety.

    Ability to get into your house without 'breaking' doors or locks, to save from expensive repairs.

    the psi corps
    is your friend
    trust the corps

    reply to this | link to this | view in thread ]

  12. icon
    Derek Kerton (profile), 3 May 2016 @ 9:35am

    Re:

    "Who actually buys these voyeuristic devices?"

    I do.

    And, I've solved two robberies with them, and one liability question. One a motorcycle next door where I could identify the vehicle. For liability, a dump truck cut cables by mistake, and I could identify the company from the logo on the door.

    Both of those are camera functions, though. In my main home, My Smartthings setup is relegated to control of lights.

    But at a lake house in Canada, I connected a door lock too. I use the IoT features to alert me when the front door is unlocked, to program door codes, and to operate the HVAC.

    This allows my family to save lots of money by lowering the thermostat way down in the winter, but activate the heater prior to going to the house. We use water sensors and cameras to alert us to potential ice and flood damage at lake level, and in the house.

    The remote programming of the door locks allows us to give service personnel temporary access by programming a code for them that we promptly erase. By using IoT, NOBODY ever gets a key they can copy, nor a hiding spot for a physical key. This increases our safety.

    Thus in my total experience, IoT has increased my safety, lowered my energy use, and solved two crimes and one liability.

    I agree entirely with the uMich engineers in the video, however, there are benefits as well as costs of an IoT home. I have to weigh the security costs against these benefits, and in the end, I'm pretty sure the IoT smarthome is worth it.

    One way to use these tools, but not be too exposed to risk is to silo them a little - that is, don't connect your light control system to your door locks. Don't install too many external apps, and to generally protect your home LAN with a good firewall.

    Foscam cameras, for example, were known to have been hacked. If they were on the Internet, hackers could port sniff, find the cam, and view it. But if you had all your cams behind a gateway with a good firewall, you would be safe. Or even if you just password protect your cams beyond defaults.

    Anyway, I don't kid myself that I'm not hackable. Everything is. But I try to make it hard, and I weigh the cost/benefit of the IoT.

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 3 May 2016 @ 9:39am

    Re: Re:

    Unclear on how turning a light on and kicking the teprature to where you want it when your house notices that the phone in your pocket logged onto the wifi network is somehow
    "the compulsion to seek sexual gratification by secretively looking at sexual objects or acts"

    but you do you buddy, you do you.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 3 May 2016 @ 9:46am

    Re: Better living through Surveillance!

    The more we wire up the things in our lives, the more we will be spied on by corporations and the government, who quite possibly are one and the same.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 3 May 2016 @ 10:23am

    I own and use SmartThings devices in my home. I use the system for convenience, not security. If someone wants to break in my home, smashing some glass is far more likely a threat than a breach to the SmartThings hub. Pure security theater.

    The attack vector described (install a malicious app / click a malicious link) still requires an inattentive human to take an action to trigger the exploit. A human has to make a bad decision to allow the system to be breached. I find nothing new or exciting about that.

    reply to this | link to this | view in thread ]

  16. icon
    velox (profile), 3 May 2016 @ 10:59am

    Re:

    There would be a major difference between IoT associated theft and smashing windows. Broken windows attract the neighbors' attention, and when you get home you immediately know there was a break-in.
    Consider if you have IoT devices which may or may not have a backdoor accessible to thieves. If something goes missing in your home, and let's say it's jewelry or a watch, and not something obvious like your TV, are you going to first suspect you misplaced it, or would you suspect a break-in. Are you now going to start checking your surveillance cameras every time you can't find something. If you don't trust your front door lock, are you going to trust your surveillance camera? There have been back doors reported in those as well.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 3 May 2016 @ 12:15pm

    Re: Re:

    Thus in my total experience, IoT has increased my safety, lowered my energy use, and solved two crimes and one liability.

    All of which could have been done without IoT.

    I weigh the cost/benefit of the IoT.

    I think your thumb is on the scales. You seem to be giving it credit that it doesn't deserve while downplaying the risks.

    reply to this | link to this | view in thread ]

  18. icon
    Ninja (profile), 3 May 2016 @ 12:49pm

    Re: Re:

    I'm not in full control of them (ie: they don't snoop on my activity)

    See?

    You can always build intelligent systems. There's plenty of ways to do it but I'm not that savvy.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 3 May 2016 @ 1:27pm

    The real defination of IoT

    The insecurity of things, because that is truly real.

    reply to this | link to this | view in thread ]

  20. icon
    Null (profile), 3 May 2016 @ 3:27pm

    Surveillance
    Marketed
    As
    Revolutionary
    Technology

    reply to this | link to this | view in thread ]

  21. identicon
    CharlieBrown, 3 May 2016 @ 7:24pm

    We don't use Samsung, We use LG

    We use LG for our TV, our fridge, our washing machine, our PVR even. What do all of these devices have in common? None of them connect to the internet! That's the way I like it. I don't think LG is better than Samsung, I just wanted you to think that with the topic title. Most of these things were rent-to-buy things anyway.

    reply to this | link to this | view in thread ]

  22. icon
    John Fenderson (profile), 5 May 2016 @ 6:05am

    Re: Re:

    The core business model of spying is a huge part of the insecurity.

    reply to this | link to this | view in thread ]

  23. icon
    Derek Kerton (profile), 5 May 2016 @ 11:02am

    Re: Re: Re:

    I can't see anywhere where I "downplay risks". I merely say that uMich's assertion of "There are risks, so don't do it" negates a well-thought cost/benefit analysis. It also doesn't discuss some simple measures that can reduce that risk.

    There absolutely are benefits that must be considered.

    Also, the uMich risks are overstated. You see, hackers are scary because they can be anywhere in the world and attack your digital assets...but to go in your front door, thieves need to be physically present and risk physical arrest. But once they are physically present...

    ...what is the easier way to enter an IoT locked home? Hack the users phone to get at the user's IoT SmartThings base to hack the user's smartlock, or...ah...just break a window?

    reply to this | link to this | view in thread ]

  24. identicon
    Anonymous Coward, 9 May 2016 @ 10:14am

    The current Internet is a joke.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.