Users install a wide range of products in their homes, including smart door locks, automated window blinds, light switches, thermostats, as well as fridges, microwaves, and other home appliances. However, security researchers recently found two flaws undermining the security of a major Internet of Things platform. Samsung's SmartThings framework was breached using a number of proof-of-concept malicious applications, resulting in the exposure of multiple vulnerabilities.
Samsung SmartThing Security
The major issues come from two flaws in the underlying SmartThings framework.
The first relates to how third-party smart home control applications implement the authorisation protocol OAuth. Researchers realised they could effectively steal the tokens issued to the individual login during the authorisation process by sending a simple link to the actual SmartThings login page. Once the tokens had been stolen, they could create their own PIN for a smart lock, without ever alerting the user.
Similarly, the security researchers managed to gain control of SmartThings "vacation mode", usually switched on when people leave their homes for a long period of time. The "vacation mode" cycles lights throughout the house, and opens and closes blinds periodically to simulate an occupied house, deterring potential intruders. Once the researchers had accessed "vacation mode", it was easily turned off, potentially leading to an intrusion.
The "vacation mode" exploit showcased access to high-level permissions granted to SmartThings apps. Instead of offering just the basic level of permission required for the app, researchers found a multitude of apps with vastly more privilege than was required for their sometimes basic task. These "over-privilege" apps create a significant security issue – though it isn't always the app designers' fault, we must add. Atul Prakash, University of Michigan professor of computer science and engineering explained it like so:
"The access SmartThings grants by default is at a full device level, rather than any narrower. As an analogy, say you give someone permission to change the light bulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets."
What Did Samsung Say?
Understandably, they were cagey, but acknowledged that there were underlying issues. They also issued a statement saying they had updated their OAuth issue, and that this should no longer be a cause for concern.
While this may be true, it still highlights the need for caution with IoT devices in the home. While the future may be arriving in the form of fully network homes and appliances, our security protocols haven't entirely caught up, and in some cases, are incorrectly implemented.
Image courtesy of bluebay / freedigitalphotos.net.