UMICH researchers remotely pick locks of Samsung SmartThing connected home systems

UMICH researchers remotely unlocked doors after hacking into connected home systems
UMICH researchers remotely unlocked doors after hacking into connected home systems

Cyber-security researchers at the University of Michigan have developed a series of attacks that allow them to hack into Samsung SmartThing connected home systems and remotely unlock doors.

One of the researchers, PhD candidate Earlence Fernandes, told SCMagazine.com via email that an incorrect OAuth implementation in an Android remote control app made the attacks possible.

One attack used a malicious application placed on a phone to eavesdrop on a potential victim when he sets a new PIN code for a door lock, according to a video that Fernandes's team posted to YouTube on May 2.

Once the new code has been set, the attacker will receive a text message containing the new PIN that will allow them to unlock the door, researchers said in the video.

Another attack requires that researchers exploit vulnerabilities in the existing SmartApp, which controls the Samsung SmartThing connected home systems, by sending a message to the SmartApp from a separate computer that will enable them to program their own PIN codes for the door lock, the researchers said.

Fernandes explained that over-privilege was the core root of all the attacks.

“When this is combined – as we showed in our work – with other more common issue like use of unsanitised strings over HTTP, improper OAuth implementation, [and] users falling for phishing attacks, the over-privilege flaws become much more dangerous because they can be exploited using malware, or even remotely at that point,” Fernandes said.

Developers should limit app privileges to those that need them to carry out their assigned tasks, Fernandes said, adding other problems could be solved by using secure development practices and following established security practices.

The vulnerabilities were disclosed to SmartThings in December 2015 and as of April 29, 2016 these have not been fixed, Fernandes said. However, he noted Samsung has already improved its documentation and has made changes to look over its app review process.

Smart Things CEO and Founder Alex Hawkinson said in an emailed statement to SCMagazine.com that his company is fully aware of the vulnerability and is continuing to secure the platform.

“The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure,” Hawkinson said.   

He added that the malicious SmartApps have not and would not impact customers because of the company's review process that wouldn't approve the malicious apps for publication.

Tripwire senior security researcher Craig Young, who studied similar vulnerabilities in Samsung and other connected home systems, speculated to SCMagazine.com that the vulnerability most likely exists within the SmartThing ecosystem.

“It doesn't sound like the flaws exist in the Samsung code or the SmartThing code,” but more like an issue with one of the outside developers, Young said.

Samsung is probably waiting on an outside developer, which may be a small business or even a single individual, to patch the vulnerable code, he said, and doesn't want to disrupt its end-users service while they wait.