A proof of concept hack has broken mobile apps for Samsung’s SmartThings, one of the more widely deployed internet of things (IoT) platforms. It’s used for connecting home electronic locks, thermostats, ovens and security systems, among other things.
A University of Michigan and Microsoft-based research team determined there to be two design flaws: One that causes SmartThings apps to receive privileges that were never explicitly requested; and the other is a flaw in the way OAuth was implemented, that allows the researchers to inject code and redirect users.
The results of the exploitation are wide-ranging—and scary. They showed that it’s possible to unlock physical doors remotely, trigger fake fire alarms, reprogram home security settings, disable vacation mode for smart-home devices and more.
"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researchers wrote in their paper on the subject. "The attack vectors are not specific to a particular device and are broadly applicable."
In the lock-picking example, researchers were able to program a new PIN code into the smart door lock, giving them sustained access to the home. They used code injection to redirect traffic to a malicious domain in order to secure the credentials they needed to do the reprogramming.
For its part, Samsung said that it has fixed the OAuth flaw and noted that its security-vetting process would catch insecure apps. In a statement, it said:
“The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios—the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure. Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.”
Deral Heiland, research lead at Rapid7 pointed out that the issues brought up by the research extend well past Samsung, and potentially impact a large quantity of smart technology.
“First, one of the key things pointed out within this research is access rights,” he said via email. “When dealing with mobile application it is very common for mobile apps to be granted more access rights then what is needed for it to function properly, as was pointed out within this research…It is also important to note this issue is widespread across many mobile applications, not just the Samsung Smart Home application.”
Also, the installation of third-party applications can often lead to those applications having access to critical security data of other installed applications and services.
“Although applications should be protected from this cross-application style attack, this method was used by the researchers to interact with critical security functions within the Samsung Smart Home service,” said Heiland. “By attacking a weaker application on the phone it may be possible to exploit other critical applications.”
Finally, one of the proof of concepts was a phish: It required the user to click on a URL link for the attack to be successful, pointing out that whether using smart phone or standard computers, it’s important for users to remain diligent in vetting mails.
"This attack used an age-old method, fooling legitimate users into entering credentials into a phishing URL supplied via an escalation-of-privilege design flaw in the SmartThings app,” Chenxi Wang, chief strategy officer for Twistlock, told Infosecurity. She added that the attack illustrates how difficult it is to design applications that apply the “least-privilege” principle.
“Application designers are often not trained in fundamental security principles, and when they are, ensuring that least-privilege security mechanisms are applied correctly remains a constant challenge. Consequently, it is critical that we utilize automated tools and techniques to help identify and correct inflated privileges in the design and development phases of an application so attacks like this can be prevented from the onset."
Photo © Supphachai Salaeman