Despite an ever-increasing number of companies turning their focus toward the internet of things, questions remain over the security of connected household devices. In the latest example of how these systems can be compromised, a team from the University of Michigan hacked Samsung’s SmartThings IoT platform.
The three researchers, who were partially sponsored by Microsoft, demonstrated four proof-of-concept hacks using malicious apps. They were able to remotely open electronically activated door locks, set off alarms, and change a smart home's settings.
The main problem, according to the researchers, is that out of the 499 SmartThings third-party apps they investigated, 55 percent of them were found to be ‘over-privileged,’ which means they ask for access privileges to more SmatThings devices than is needed. Additionally, 42 percent of the apps were granted privileges that were never explicitly requested.
"Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires," the researchers said.
"Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock PIN codes."
The Unversity of Michigan has worked with Samsung over the last few weeks, and all the security issues have now been addressed . It’s been pointed out that none of the vulnerabilities affected any SmartThings customers.
A SmartThings representative gave the following statement:
The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure. Following this report, we have updated our to provide even better security guidance to developers.
Smart home devices and their associated programming platforms will continue to proliferate and will remain attractive to consumers because they provide powerful functionality. However, the findings in this paper suggest that caution is warranted as well – on the part of early adopters, and on the part of framework designers. The risks are significant, and they are unlikely to be easily addressed via simple security patches.
There have been several cases of security holes being found in connected household devices. It was reported back in January that a researcher discovered he could view vulnerable webcams, including baby monitors, using a browser dedicated to searching for IoT devices.