Update: Samsung has issued a statement to us, which just expands on its earlier response. You can read it below the video.
Computer science researchers from the University of Michigan have shown how malicious apps could take control of Internet of Things devices in Samsung’s SmartThings platform – including the ability of an attacker to unlock a front door to gain physical access to a home.
The main weakness identified is that way that the SmartThings platform grants apps more privileges than needed to perform their stated functions, reports The Verge.
The researchers demonstrated this finding with a proof of concept app promising to monitor battery life on various devices. If the user agreed to let the malicious — but seemingly innocuous — app access their smart lock, the researchers could then not only monitor its battery, but perform the lock’s other functions, including unlocking the door. The researchers found 42 percent of 499 analyzed SmartApps are currently over-privileged in a similar way …
A second exploit allowed the team to program their own PIN codes into a door to allow physical access at will.
Although the user would need to install the malicious app, a small-scale survey of users showed that it’s not difficult to persuade non-tech users to do so.
Ninety-one percent said they would let a battery monitoring app check on their smart lock, and consequently give the app access to its functions.
Samsung says that it is issuing updated guidance to developers on securing their code, and that it conducts app reviews. The Michigan team does now, however, believe this will be sufficient.
The risks are significant, and they are unlikely to be easily addressed via simple security patches.
You can watch the video demo below.
Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We regularly perform penetration tests of our system and engage with professional third party security experts, embracing their research so that we can continue to stay in front of any potential vulnerabilities and be industry leaders when it comes to the security of our platform.
We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows. The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.
Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.
As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third party website, there’s a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.