Internet of Things Security Paucity Highlighted In SmartThings Platform Vulnerabilities

Researchers have discovered vulnerabilities in Samsung’s Smart Home automation system which they could manipulate to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world. This only highlights the dangers of increasingly interconnected ‘things’ in the Internet of Things space.

A group of researchers at the University of Michigan and Microsoft have published what they call the first in-depth security analysis of SmartThings, one such smart home platform that allows anyone to control their home appliances from light bulbs to locks with a PC or smartphone.

All it takes is the introduction of a piece of malware, and suddenly, that smart home is not quite so smart, after all. Security researchers have been sounding the warning for years about the dangers inherent in the adoption of Internet of Things, especially with regards to networked home appliances, which makes it relatively easy to introduce a deluge of new hackable vulnerabilities into everyday objects.

The researchers found they could exploit SmartThings’ flawed implementation of a common authentication protocol known as OAuth. The researchers analyzed an Android app designed to control SmartThings services, and found a certain code—meant to be secret—that let them take advantage of a flaw in the SmartThings web server known as an “open redirect.”

Most of the attacks were made possible by a design flaw in the SmartThings capability model that causes apps to receive privileges that were never explicitly requested. As a result, many apps are “overprivileged,” often through no fault of the developer.

55 percent of the 499 SmartApps available during the time of their research qualified as being overprivileged, meaning they didn’t use at least some of the device rights that were requested, according to the researchers. They also further found that 42 percent of apps were granted privileges they never asked for. Such overly broad permissions violate a core security tenet known as the least privilege principle, which calls for apps and processes to be granted as minimal a level of access as needed to perform their specified tasks.

SmartThings responded by saying “the potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.” They also said the OAuth mechanism has recently been fixed.