Security issues Samsung’s smart home platform allows hackers to open locks

Posted 02 May 2016 18:32 CEST by Jan Willem Aldershoff

Researchers from Microsoft and the University of Michigan have discovered numerous vulnerabilities in smart home devices. The vulnerabilities allowed them to remotely hack the devices so they were able to control them.

smartthings-hub-and-devices

The research focussed on the SmartThings domotica from Samsung. The apps Samsung provides for controlling the devices contained much more functionality and code than required for using the domotica, according to the researchers in their report.

It was possible for the researchers to open doors that were locked through SmartThings locks. Also smoke detectors could be falsely triggered and pin codes could be added to smart locks. According to the researchers the biggest weaknesses of the smart devices are in the apps that control them.

These are often not properly secured and can be abused to control other devices as well. Some apps also had too many privileges, it was e.g. possible to use an app to open locks while the app was only intended to be used to close locks.

“If these apps are controlling non-essential things like window shades, I’d be fine with that”,  Earlence Fernandes, one of the University of Michigan researchers, told Wired.

“But users need to consider whether they’re giving up control of safety-critical devices, The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock”, he added.

The researchers analyzed 499 apps and picked the SmartThings domotica system due to the popularity of its apps in the Google Play Store.

Samsung responded to the report stating it has worked with the researchers for weeks to make the SmartThings platform more secure. However the company downplays the seriousness of the issues because it argues that users either have to install malware on their phone or the developer of a SmartThings app doesn’t follow the security guidelines.



Zod
MyCE Resident
Posted on: 03 May 16 05:17
It seems to be, that hackers are pretty clever.  If they really want to hack something they'll figure it out.   Somethings are probably better off not connected to the internet.   Reminds of Battestar Galactica where the Cylons could hack anything that was networked.   The solution was to not network anything.

If there are sensitive systems/info out there.  Don't connect it to the internet.  How hard is that.. lol.
0 Agree

Xercus
MyCE Die Hard
Posted on: 03 May 16 09:19
Quote:
Samsung responded to the report stating it has worked with the researchers for weeks to make the SmartThings platform more secure. However the company downplays the seriousness of the issues because it argues that users either have to install malware on their phone or the developer of a SmartThings app doesn’t follow the security guidelines.
What is that for statement... Last time I had realitycheck, controlling the app implied hacking it one way or another

Quote:
But users need to consider whether they’re giving up control of safety-critical devices, The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock
That is exactly what sends shivers down my spine, thinking about non-technical users buying all kinds of convenience devices for their home without a shred of concern for security. I am pretty sure they would have been concerned if the lock to the physical door malfunctioned.

Quote:
According to the researchers the biggest weaknesses of the smart devices are in the apps that control them.
It all depends on what you're looking for. There are quite some vulnerabilities hiding in IoT hardware as well. There is a wholeness to it as hardware is controlled by software and since everything is wireless, we have a security issue in just that fact.
In other words, we better be sceptical and not buy anything before we can read at least one securityminded review for both the hardware and software.

As I see it, the future brings forth another hacker group, the local hacker (and with him a lot of script kiddies) specializing in compromising your local wireless network by monitoring Wi-Fi data. With the high availability of such tools, that could easily be your bad neighbor who wants to get back at you for reasons unknown. Don't let him catch you off guard
0 Agree

TSJnachos117
MyCE Resident
Posted on: 06 May 16 23:31
There are so many issues pointed out by this article: "much more functionality and code than required", waiting until after the software is in use by the public to conduct security research, downplaying security issues that make breaking and entering easier than ever, and general stupidity. So, I guess the moral is to not get a stupid, unnecessary internet-connected thing that can easily ruin one's (non-digital) life, since the people who made it have no idea what they're doing.
0 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post.

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×