That lock was supposed to be ‘smart’

Hi folks,

Did you know that Samsung’s ‘Smart’ Home was found to have flaws that allow hackers unlock doors and set off fire alarms?

Internet-connected door lock with a PIN that can be programmed from your smartphone for your “smart home” suddenly seems like a dumb idea.

A group of researchers at the University of Michigan and Microsoft have published a paper called the first in-depth security analysis of one such “smart home” platform that allows anyone to control their home appliances from light bulbs to locks with a PC or smartphone. They are planning to present this at the IEEE Symposium on Security and Privacy this month. It was discovered that these devices are hackable and allows triggering a smoke detector at will to planting a “backdoor” PIN code in a digital lock that offers silent access to your home.

The testing was focused on Samsung’s SmartThings platform that’s used in thousands of homes.

During these proof-of-concept attacks, the researchers found they could exploit SmartThings’ flawed implementation of a common authentication protocol known as OAuth. While analysing an Android app designed to control SmartThings services, they found a certain (secret) code can exploit the flaw in SmartThings web server known as an “open redirect.”

First the owner of the lock is tricked to click on a lock that looks like it’s from SmartThings support. The link will actually take the victim to the SmartThings HTTPS website, where the person logs in and due to the hidden redirect in the URL, the victim’s login tokens are sent to the attacker. Then the attcakers can log into the cloud-based controls for the door lock app and add a new four digit PIN to the lock without the knowledge of the owner.

Atul Prakash, a University of Michigan computer science professor who worked on the study said “It’s definitely possible to do an attack on a large number of users just by getting them to click on these links on a help forum or in emails… Once you have that, whoever clicks and signs on, we’ll have the credentials required to control their smart app.”

Three out of four demonstration attacks require a the victim to be tricked. This involves the attacker convincing the user to install a malicious Android app as well as smuggling such an app into the store.

Watch the video demo of that PIN-stealing attack in action.

a SmartThings spokesperson said in a statement that “Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.”

According to the researchers, neither the Android app they reverse engineered to exploit the SmartThings authentication flaw nor the privilege overreach flaw itself has been fixed. They also say that it would be difficult for Samsung’s SmartThings app reviewers to detect the sort of malware they created. None of the battery-monitoring app’s malicious commands were actually apparent in its code, they say, and could instead be injected from the server that controls the app when it’s past that code review and running on the victim’s device.

The researchers argue that the more fundamental issue in SmartThings’ platform is “overprivilege.” Out of the 499 SmartThings they analysed, more than half had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren’t meant to possess.

“The code is set up so we can very nicely push in the malicious stuff,” says Fernandes. “But you’d have to explicitly be looking for that.” As evidence that SmartThings owners would actually install their malware, they performed a survey of 22 people using SmartThings devices and found that 77 percent of them would be interested in that battery monitor app.

Michigan’s Prakash said that consumers should approach the whole notion of a smart home with caution. “These software platforms are relatively new. Using them as a hobby is one thing, but they’re not there yet in terms of sensitive tasks,” he says. “As a homeowner thinking of deploying them, you should consider the worst case scenario, where a remote hacker has the same capabilities you do, and see if those risks are acceptable.”

Source: Akati

Comments are closed.