IoT News Roundup

Security researchers punch holes in SmartThings security; GlobeRanger makes iMotion more IoT-friendly; Microsoft bolsters IoT product line with Solair acquisition; Nokia to support Z-Wave standard for upcoming smart home offerings.
By Mary Catherine O'Connor
May 06, 2016

Security Experts Unveil Vulnerabilities in Samsung's SmartThings
Researchers at the University of Michigan have exposed security flaws in Samsung's SmartThings platform, which is designed to give consumers a means to remotely monitor and control lights, video cameras, door locks or security systems.

The researchers devised and demonstrated what they call a "lock-pick malware app" that is disguised as an app to monitor the battery level of an electronic door lock linked to a user's SmartThings platform. In fact, the malicious code monitors communications between the platform and the lock, and if a user changes the PIN code used to unlock the door, the new code is automatically forwarded to the researcher's app via an SMS text message. A second hack showed that they could use an app that can be downloaded from the SmartThings app store to generate new PIN codes for the same type of door lock, without a user's knowledge.

The team also discovered a way to alter a SmartThings app in a way that would turn off the "vacation mode" setting in a separate app that lets homeowners program the timing of lights or blinds while they are away on vacation, in order to help secure the home. Lastly, they determined that they could exploit a SmartThings-platform-connected fire alarm by having other apps on the platform send it messages that would trigger it to alarm. The researchers say these exploits were aided by the way in which the SmartThings platform is designed, which gives apps running on the platform what the researchers call "over privilege"—too much access to devices, and to the messages those devices generate.

In addition, SmartThings often provides apps with access to devices running the platform even if the code describing the app clearly does not necessitate that access. This, combined with a bug that allowed the team to use an authentication method called OAuth incorrectly, is how they were able to write the app to generate new PIN codes for door locks, the researchers explain.

The platform's event subsystem—a stream of messages that devices generate as they are programmed and carry out instructions—has an insecurity that the researchers also compromised. This, the team reports, enabled them to trigger the fire alarm using other apps.

The researchers note that they advised Samsung of the vulnerabilities in December 2015, and that the company told them it would address these issues. Despite this, the researchers were able to repeat one of the door lock hacks again a few weeks ago.

SmartThings provided a statement indicating that it is exploring "long-term, automated, defensive capabilities to address these vulnerabilities." The researchers will present a paper discussing their findings on May 24 at the IEEE Symposium on Security and Privacy, being held in San Jose, Calif.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations