Electronic Product Design

Tuesday, 10 May 2016 00:00 Written by

SmartThings Not So Smart

10-05-16 - Internet of things 200Last year we took a look at the potential dangers concerning massive amounts of IoT Ready devices coming online. While the unthinkable hasn’t happened – our power stations are still running, I think (though they do seem to find significant amounts of malware at these critical facilities) – the numbers of regular users purchasing and installing IoT devices in their homes has risen significantly.

Users install a wide range of products in their homes, including smart door locks, automated window blinds, light switches, thermostats, as well as fridges, microwaves, and other home appliances. However, security researchers recently found two flaws undermining the security of a major Internet of Things platform. Samsung's SmartThings framework was breached using a number of proof-of-concept malicious applications, resulting in the exposure of multiple vulnerabilities.

Samsung SmartThing Security

The major issues come from two flaws in the underlying SmartThings framework.

The first relates to how third-party smart home control applications implement the authorisation protocol OAuth. Researchers realised they could effectively steal the tokens issued to the individual login during the authorisation process by sending a simple link to the actual SmartThings login page. Once the tokens had been stolen, they could create their own PIN for a smart lock, without ever alerting the user.

Similarly, the security researchers managed to gain control of SmartThings "vacation mode", usually switched on when people leave their homes for a long period of time. The "vacation mode" cycles lights throughout the house, and opens and closes blinds periodically to simulate an occupied house, deterring potential intruders. Once the researchers had accessed "vacation mode", it was easily turned off, potentially leading to an intrusion.

The "vacation mode" exploit showcased access to high-level permissions granted to SmartThings apps. Instead of offering just the basic level of permission required for the app, researchers found a multitude of apps with vastly more privilege than was required for their sometimes basic task. These "over-privilege" apps create a significant security issue – though it isn't always the app designers' fault, we must add. Atul Prakash, University of Michigan professor of computer science and engineering explained it like so:

"The access SmartThings grants by default is at a full device level, rather than any narrower. As an analogy, say you give someone permission to change the light bulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets."

What Did Samsung Say?

Understandably, they were cagey, but acknowledged that there were underlying issues. They also issued a statement saying they had updated their OAuth issue, and that this should no longer be a cause for concern.

While this may be true, it still highlights the need for caution with IoT devices in the home. While the future may be arriving in the form of fully network homes and appliances, our security protocols haven't entirely caught up, and in some cases, are incorrectly implemented.


Image courtesy of bluebay / freedigitalphotos.net.

Leave a comment

Our Latest News

Search

How we do it

Connect with us

Check us out:



More stuff

Contact Us

CONTACT US

Hawkshead Designs Ltd
Unit 4 Penrose House
Treleigh Industrial Estate
Redruth
TR16 4DE
UK

T: 01209 216 878

E: info@hawksheaddesigns.co.uk

Electronic Design Solutions and Electronic Product Design

Read our Standard Terms & Conditions here.

This website is brought to you by Nicola Bathe.