Hacking SmartThings home automation platform apparently not that hard
May 3, 2016 - Cybersecurity researchers at the University of Michigan were able to hack into a leading smart home automation system and, essentially, get the code to a home’s front door.
By Anthony Capkun
Their ‘lock-pick malware app’ was one of four attacks the cybersecurity researchers levelled at an experimental set-up of Samsung’s SmartThings—an IoT (internet of things) platform for consumers. The researchers believe this work is the first platform-wide study of a real-world connected home system… and they didn’t like what they saw.
“At least today, with the one public IoT software platform we looked at—which has been around for several years—there are significant design vulnerabilities from a security perspective,” said Atul Prakash, U-M professor of computer science and engineering. “I would say it’s okay to use as a hobby right now, but I wouldn’t use it where security is paramount.”
Earlence Fernandes, a doctoral student who led the study, said “letting it control your window shades is probably fine”.
“One way to think about it is if you’d hand over control of the connected devices in your home to someone you don’t trust; and then imagine the worst they could do with that, and consider whether you’re okay with someone having that level of control,” he said.
Regardless of how safe individual devices are (or claim to be), new vulnerabilities form when hardware like electronic locks, thermostats, ovens, sprinklers, lights and motion sensors are networked and set up to be controlled remotely. That’s their convenience and key selling point.
As a testament to SmartThings’ growing use, its Android companion app that lets you manage your connected home devices remotely has been downloaded more than 100,000 times. SmartThings’ app store, where third-party developers can contribute SmartApps that run in the platform’s cloud and let users customize functions, holds more than 500 apps.
The researchers performed a security analysis of the SmartThings’ programming framework and, to show the impact of the flaws they found, they say they conducted four successful proof-of-concept attacks.
They demonstrated a SmartApp that eavesdropped on someone setting a new PIN for a door lock, then sent that PIN in a text message to a potential hacker. The ‘lock-pick malware app’ was disguised as a battery level monitor, and only expressed the need for that capability in its code.
As an example, they showed that an existing, highly rated SmartApp could be remotely exploited to virtually make a spare door key by programming an additional PIN into the electronic lock. The exploited SmartApp was not originally designed to program PIN codes into locks.
They showed that one SmartApp could turn off ‘vacation mode’ in a separate app that lets you program the timing of lights, blinds, etc., while you’re away to help secure the home.
They demonstrated that a fire alarm could be made to go off by any SmartApp injecting false messages.
How is all this possible? The security loopholes the researchers uncovered fall into a few categories; one common problem is the platform grants its SmartApps too much access to devices and to the messages those devices generate.
The researchers call this “over-privilege”.
“The access SmartThings grants by default is at a full device level, rather than any narrower,” Prakash said. “As an analogy, say you give someone permission to change the light bulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets.”
More than 40% of the nearly 500 apps they examined were granted capabilities the developers did not specify in their code. That’s how the researchers could eavesdrop on setting of lock PIN codes.
The researchers also found that it is possible for app developers to deploy an authentication method called OAuth incorrectly. This flaw, in combination with SmartApps being over-privileged, allowed the hackers to program their own PIN into the lock to make their own secret spare key.
Finally, the ‘event subsystem’ on the platform is insecure. This is the stream of messages devices generate as they’re programmed and carry out those instructions. The researchers were able to inject erroneous events to trick devices; that’s how they managed the fire alarm and flipped the switch on ‘vacation mode’.
“The bottom line is that it’s not easy to secure these systems,” Prakash said. “There are multiple layers in the software stack, and we found vulnerabilities across them, making fixes difficult.”