Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Mobile Tech / Samsung's SmartThings Hacked
Researchers Hack Samsung's SmartThings Platform
Researchers Hack Samsung's SmartThings Platform
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Researchers at the University of Michigan have discovered multiple security flaws in Samsung’s SmartThings Internet of Things consumer platform, allowing them to hack into the platform's automation system and gain control over a user’s home system. The discovery casts significant doubt on the ability of IoT software to expand into broader markets where companies are more concerned about security issues.

"At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective," said Atul Prakash, U-M professor of computer science and engineering, in a statement. "I would say it's okay to use as a hobby right now, but I wouldn't use it where security is paramount."

Overprivileged Apps

According to the university's research paper, the researchers wanted to determine the ways emerging, programmable, smart homes could be vulnerable to attacks, and what those attacks might entail. The researchers described the paper as the first in-depth empirical security analysis of a popular emerging smart home programming platform.

The researchers said they made two key discoveries. For one thing, although SmartThings implements a privilege separation model, SmartApps can be overprivileged, they said. Overprivilege is a security design flaw that lets an app gain access to more operations on protected resources than it requires to complete its claimed functionality.

For instance, a battery manager app only need access to read battery levels of devices. However, if the app can also issue operations to control the on/off status of a device, the app would be overprivileged. The researchers said they found two forms of overprivilege in the SmartThings platform. First, coarse-grained capabilities lead to over 55 percent of existing SmartApps to be overprivileged.

The researchers also discovered that coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. The research team said that their analysis revealed that 42 percent of existing SmartApps are overprivileged in this way.

Unsecure Pincodes

The second major discovery revolves around the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events. The researchers found that the SmartThings event subsystem does not sufficiently protect events that carry sensitive information such as lock pincodes. That vulnerability could let hackers secretly plant door lock codes, steal existing door lock codes, disable vacation mode of a home, and induce a fake fire alarm, they said.

“Recently, several competing smart home programming frameworks that support third party app development have emerged,” the researchers wrote in a summary of their paper. “These frameworks provide tangible benefits to users, but can also expose users to significant security risks.”

The research team said that they chose the Samsung's SmartThings platform for their test because it has the largest number of apps among the currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks.

Image Credit: Samsung’s SmartThings home monitoring system (pictured above) via Samsung.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.