“Smart home” security flaws found in popular system

that an existing, highly rated SmartApp could be remotely exploited to virtually make a spare door key by programming an additional PIN into the electronic lock. The exploited SmartApp was not originally designed to program PIN codes into locks.

  • They showed that one SmartApp could turn off “vacation mode” in a separate app that lets you program the timing of lights, blinds, etc., while you’re away to help secure the home.
  • They demonstrated that a fire alarm could be made to go off by any SmartApp injecting false messages.

    • How is all this possible? The security loopholes the researchers uncovered fall into a few categories. One common problem is that the platform grants its SmartApps too much access to devices and to the messages those devices generate. The researchers call this “over-privilege.”

    The access SmartThings grants by default is at a full device level, rather than any narrower,” Prakash said. “As an analogy, say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets.”

    More than 40 percent of the nearly 500 apps they examined were granted capabilities the developers did not specify in their code. That’s how the researchers could eavesdrop on setting of lock PIN codes.

    The researchers also found that it is possible for app developers to deploy an authentication method called OAuth incorrectly. This flaw, in combination with SmartApps being over-privileged, allowed the hackers to program their own PIN code into the lock — to make their own secret spare key.

    Finally, the “event subsystem” on the platform is insecure. This is the stream of messages devices generate as they’re programmed and carry out those instructions. The researchers were able to inject erroneous events to trick devices. That’s how they managed the fire alarm and flipped the switch on vacation mode.

    These results have implications for all smart home systems, and even the broader Internet of Things.

    The bottom line is that it’s not easy to secure these systems” Prakash said. “There are multiple layers in the software stack and we found vulnerabilities across them, making fixes difficult.”

    The researchers told SmartThings about these issues in December 2015 and the company is working on fixes. The researchers rechecked a few weeks ago if a lock’s PIN code could still be snooped and reprogrammed by a potential hacker, and it still could.

    U-M notes that in a statement, SmartThings officials say they are continuing to explore “long-term, automated, defensive capabilities to address these vulnerabilities.” They’re also analyzing old and new apps in an effort to ensure that appropriate authentication is put in place, among other steps.

    The researchers will present a paper on the findings, titled “Security Analysis of Emerging Smart Home Applications,” 24 May at the IEEE Symposium on Security and Privacy in San Jose.