Security researchers at the University of Michigan have discovered a number of design flaws in Samsung's SmartThings platform. Flaws can undermine the security of any smart home setup using the SmartThings ecosystem 3 Ways to Protect Your Family and Home with a SmartThings Presence 3 Ways to Protect Your Family and Home with a SmartThings Presence Do you want to use technology? to keep your loved ones closer and safer? See what a SmartThings Presence can do to keep an eye on your home. Read More
To save a bit, one of the attacks relies on the user downloading a malicious app from the SmartThings store or following a malicious link. Once the malicious app is downloaded, an attacker could perform a remote assault from anywhere in the world.
Understandably, Samsung has been defensive about critical security issues, stating that it is operating with full knowledge of the issues and that they are being actively removed.
Is that good enough? Or should Samsung, a multinational technology company, be actively investigating why its products are apparently shipping with security bugs? Let's see.
Security researchers at the University of Michigan devised several proof-of-concept vulnerabilities focused on exposing any potential flaws in the Samsung SmartThings ecosystem. As one of the largest manufacturers of IoT Ready (Internet of Things) devices, including refrigerators, thermostats, ovens, security doors, locks, panels, sensors and much more, it will come as no surprise that your security credentials come under scrutiny. Q>
The researchers confirmed that the flaws were caused by two intrinsic design flaws in the SmartThings ecosystem. Also, the two intrinsic design flaws are not necessarily easy to fix.
The issues relate to the way third-party smart home control apps implement the OAuth authorization protocol. . The researchers discovered an unsupported app, and were able to create a full attack based on the flaw, sending a single link to the actual SmartThings login page, but stealing the user's login token at the same time. With the tokens in hand, an attacker could create their own PIN for a smart lock while the user would remain unaware 4 Really Cool Uses for SmartThings Open Closed Sensors 4 Really Cool Uses for SmartThings Open Closed Sensors The Open Sensor / Closed is designed to keep an eye on doors and gates, but with a little creativity you can do much more. Here are ideas for using the device to make your home a little smarter. Read more.
Another exploit included exploiting a vulnerability to turn "vacation mode" off, demonstrating access to high-level permissions. Once “vacation mode” access is granted to an attacker, they can mitigate any pre-programmed vacation defense modes, such as turning lights on and off throughout the house, or opening and closing blinds to simulate an occupied residence.
This leads to the second facet of the SmartThings security problem. Most applications exploited by researchers should not have this level of operating privilege to begin with. Security researchers established that the SmartThings store contains more than 500 individual apps. How the new SmartThings app is a major step backwards. Here's how the new SmartThings app is a major step backwards. A recent update to the SmartThings app shows that the company might be changing course. This type of technology is certainly changing, but it remains to be seen if it is for better or worse. Read More They then found that over 40% of these apps grant too many privileges for the sometimes simple job they were designed to do.
These "excess privileges" applications create a significant security problem, although often not entirely the fault of the designer. Atul Prakash, a professor of computer science and engineering at the University of Michigan, explained it like this:
Unsurprisingly, Samsung has been protective of its Internet of Things interests. The SmartThings declaration is as follows:
It's not the first time Samsung has encountered IoT security issues, nor is it an isolated issue for a single tech company. IoT devices have always been the source of security issues, and most users exploring new Internet-ready, networked devices don't fully understand the seriousness of what they're doing. Why the Internet of Things is the biggest security nightmare Why the Internet of Things is the biggest security nightmare One day, you come home from work to discover that your cloud-enabled home security system has been breached . How could this happen? With the Internet of Things (IoT), you can find out the hard way. Read more.
The research team even completed an extremely small study of people using SmartApps, drawing their attention to the permissions they granted.
Surprisingly, 20 of the 22 people interviewed would allow a battery monitoring app to check the status of smart locks installed at their premises, on the premise that the app would send door access codes to a remote server. It can be a case where users do not do their due diligence for personal safety, even more so when it comes to the possibility of serious loss or, in the worst case, personal danger.
But still, and this is where I sympathize with users, a major problem is that companies that install and deploy smart systems in private residences and businesses don't offer enough educational support to users 7 Reasons Why the Internet of Things Should Scare You 7 Reasons Why the Internet of Things Should Scare You The potential benefits of the Internet of Things are growing, while the dangers lurk in the silent shadows. It's time to draw attention to these dangers with seven promising promises of the IoT. Read more.
Sure, the user could understand What is the installer talking about, but have they really digested the fact that your entire home is networked? Do you understand that your refrigerator is now online? 5 Devices You DO NOT Want to Connect to the Internet of Things 5 Devices You DO NOT Want to Connect to the Internet of Things The Internet of Things (IoT) may not be all that's broken. be. In fact, there are some smart devices that you may not want to connect to the web. Read More Because you can bet your bottom dollar, the user will be much more up-to-date with the tablet's vulnerabilities instead of being a somewhat intangible threat to the contents of the Samsung Smart Fridge refrigerator that they just received. How about the rest of your smart home? Samsung's smart fridge has just been launched. How about the rest of your smart home? A vulnerability with Samsung's smart refrigerator was discovered by UK-based information company Pen Test Parters. Samsung's SSL encryption implementation does not check the validity of certificates. Read more.
Or, as the team of researchers at the University of Michigan wrote:
There is no need to panic. Samsung has already started to address some of the major issues highlighted in the document, though it will take a while to ensure that the SmartThings framework is actually a truly secure smart home platform. Which Smart Hub for Home Automation is Best for You? Which Smart Hub for Home Automation is Best for You? For a while, people thought the idea was nothing more than a gimmick, but recent product launches have shown that smart home automation is starting to deliver on its promises. Read more.
Do you use SmartThings? Would you consider switching to a different framework? Let us know below!