A newly-discovered security flaw in Samsung’s SmartThings hub is proving that even the biggest smart home systems aren’t hack-proof.
Researchers at the University of Michigan, in conjunction with Microsoft Research, have discovered a vulnerability in the SmartThings platform that allows hackers to effectively create their own keys for a connected door lock. A separate issue with app privileges would also allow an attacker to remotely control devices on the SmartThings network, and possibly steal the PIN for a home’s door locks, Wired reports.
The biggest issue relates to how third-party smart home control apps implement the authorization protocol OAuth. Although SmartThings issues guidelines on how these apps are supposed to work, all it took was one non-complaint app to open up a flaw in the SmartThings web server. The attackers were then able to create a link to Samsung’s actual SmartThings login page, but with the secret ability to steal the user’s login tokens. With those tokens in hand, an attacker could create their own PIN for a home’s door locks, unbeknownst to the user.
In practice, a spoofed email claiming to be from SmartThings would be enough to fool users into surrendering their login tokens and granting access to their homes.
The researchers also described a separate problem with apps that ask for too much control over a user’s smart home. As a proof-of-concept, the researchers created an app that claimed to only monitor the battery level of various devices, but in fact was able to set off smoke detectors, disable “vacation mode,” and steal the PIN to the user’s door locks. Users who don’t pay close attention to an app’s permission requests would be vulnerable.
What is SmartThings doing about all this? The company told The Verge that it is updating its documentation for developers to prevent bad implementations of OAuth, but it’s unclear if the underlying flaw will be fixed. As for the prospect of malicious apps, SmartThings says it is adding new security review requirements, though the researchers claim they could bypass inspection by injecting malicious commands from their servers after approval. In other words, these vulnerabilities are being mitigated, but not fixed outright.
Update: SmartThings says it is no longer allowing developers to use OAuth endpoints without going through the official submission process, which includes a source code security review. The company also says it is making underlying platform changes to "systematically prevent these potential vulnerabilities in the future."
This isn’t the first instance of security flaws in the SmartThings platform. Last December, researchers discovered a flaw in the underlying ZigBee networking protocol that would let attackers jam communications on the network during a break-in, thereby preventing security alarms from triggering. Samsung issued a fix for users a few months later.
Why this matters: SmartThings is hardly alone in having vulnerabilities in its smart home platform, as research has shown problems on a wide range of other devices. While users can take some precautions on their own, it’s unlikely that any system will be completely free of security flaws. Users will need to weigh the convenience of these products against the security risks—especially for products that provide access to the home or its vital functions—and consider multiple layers of security to prevent an attack.
This article has been updated to clarify that SmartThings operates independently from Samsung.