Researchers from Microsoft and the University of Michigan have discovered numerous vulnerabilities in smart home devices. The vulnerabilities allowed them to remotely hack the devices so they were able to control them.
The research focussed on the SmartThings domotica from Samsung. The apps Samsung provides for controlling the devices contained much more functionality and code than required for using the domotica, according to the researchers in their report.
It was possible for the researchers to open doors that were locked through SmartThings locks. Also smoke detectors could be falsely triggered and pin codes could be added to smart locks. According to the researchers the biggest weaknesses of the smart devices are in the apps that control them.
These are often not properly secured and can be abused to control other devices as well. Some apps also had too many privileges, it was e.g. possible to use an app to open locks while the app was only intended to be used to close locks.
“If these apps are controlling non-essential things like window shades, I’d be fine with that”, Earlence Fernandes, one of the University of Michigan researchers, told Wired.
“But users need to consider whether they’re giving up control of safety-critical devices, The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock”, he added.
The researchers analyzed 499 apps and picked the SmartThings domotica system due to the popularity of its apps in the Google Play Store.
Samsung responded to the report stating it has worked with the researchers for weeks to make the SmartThings platform more secure. However the company downplays the seriousness of the issues because it argues that users either have to install malware on their phone or the developer of a SmartThings app doesn’t follow the security guidelines.