Samsung's SmartThings platform has shown to be vulnerable to attack from apps downloaded through its own app store

Smart home security systems still 'highly vulnerable'

Smart home security systems have been shown to be highly vulnerable to outside attack, after cybersecurity researchers easily extracted a front door’s PIN code.

A team at the University of Michigan hacked into one of the most prominent smart home automation systems - Samsung's SmartThings - using a ‘lock-pick malware app’.

SmartThings is currently one of the top-selling Internet of Things platforms for consumers. However, the new study looking into the security of these systems has not yielded promising results.

"At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective," said Atul Prakash, professor of computer science and engineering at the University of Michigan.

"I would say it's okay to use as a hobby right now, but I wouldn't use it where security is paramount."

The team found that new vulnerabilities were introduced into the smart home system when hardware like electronic locks, thermostats, ovens, sprinklers, lights and motion sensors were networked and set up to be controlled remotely.

SmartThings is rapidly increasing in popularity; its Android companion app that lets you manage your connected home devices remotely has been downloaded more than 100,000 times. SmartThings' app store, where third-party developers can contribute apps that run in the platform's cloud and let users customize functions, already holds more than 500 apps.

The researchers performed a security analysis of the SmartThings' programming framework and to show the impact of the flaws they found, they conducted four successful proof-of-concept attacks.

They demonstrated a SmartApp that eavesdropped on someone setting a new PIN code for a door lock, and then sent that PIN in a text message to a potential hacker. The SmartApp, which they called a ‘lock-pick malware app’ was disguised as a battery level monitor and only expressed the need for that capability in its code.

Earlence Fernandes, a doctoral student in computer science and engineering who led the study said: "One way to think about it is if you'd hand over control of the connected devices in your home to someone you don't trust and then imagine the worst they could do with that and consider whether you're okay with someone having that level of control."

As an example, they showed that an existing, highly rated SmartApp could be remotely exploited to virtually make a spare door key by programming an additional PIN into the electronic lock even though that app was not originally designed to program PIN codes into locks.

They showed that one SmartApp could turn off ‘vacation mode’ in a separate app that lets you program the timing of lights and blinds while homeowners are away.

The team also demonstrated setting off a fire alarm inside the house by injecting false messages from a number of other SmartApps.

They concluded that the platform grants its SmartApps too much access to devices and the messages those devices generate.

"The access SmartThings grants by default is at a full device level, rather than any narrower," Prakash said. "As an analogy, say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets."

More than 40 percent of the nearly 500 apps they examined were granted capabilities the developers did not specify in their code. That's how the researchers could eavesdrop on setting of lock PIN codes.

These results have implications for all smart home systems and even the broader Internet of Things.

"The bottom line is that it's not easy to secure these systems" Prakash said. "There are multiple layers in the software stack and we found vulnerabilities across them, making fixes difficult."

The researchers told SmartThings about their experiments last year but although the company says security fixes are being developed, the lock's PIN code could still be snooped and reprogrammed by a potential hacker as of a few weeks ago.

In a statement, SmartThings officials say they're continuing to explore "long-term, automated, defensive capabilities to address these vulnerabilities."

They're also analyzing old and new apps in an effort to ensure that appropriate authentication is put in place, among other steps.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles