Flaws in Samsung Smart Home Let Criminals Walk Right Through Your Front Door

Samsung is in the news again, but this time it isn’t with their smart TVs. Security researchers at the University of Michigan found several issues with the Samsung Smart Home automation system. One of them includes allowing a hacker to essentially make keys and walk right in through the front door of your home.

Specifically, the vulnerabilities are with the SmartApps that are used to control the automation system. Two intrinsic design flaws may give someone extended privileges in the apps in that the SmartThings event subsystem doesn’t protect sensitive information that is passed through, such as lock codes. Several proof-of-concept attacks were performed and the most dangerous one, called “backdoor pin code injection attack” is essentially remote lock picking. It captured the unlock PIN and sent it to attackers via text.

How it all started was by sending a link to a user that brought them to the actual SmartThings login page. After entering the user name and password, the flaw in the app allowed the link to redirect the actual credentials to an attacker-controlled address. That gave them the same access as the homeowner.

As so often happens, phishing is how the attack began. So always avoid clicking on links and attachments in email messages, regardless of who it appears sent it. Instead, use a previously bookmarked link or type in the web address manually. It is very easy for a hacker to make an email look like it came from a legitimate source, so always be 100% certain it is safe before clicking. It really is better to get into the habit of typing addresses in separately or using bookmarks.

Samsung has not indicated any timeframe for fixing the issues found by the researchers or if they will be providing a patch at all. Therefore, if you already have this system installed, consider disconnecting critical components such as the door locking capabilities or putting the system into vacation mode. One of the attacks resulted in the researchers disabling that mode.

Although Samsung has put the blame on third-party developers and those clicking the malicious links, at some point it may indeed issue a patch for this. If and when it does, make sure you apply it right away. The same goes for any security or critical updates or patches issued for products that have control capabilities via the Internet. Other examples are for comfort control systems, smart TVs and digital recording systems such as Tivo, solar system monitoring apps, and a whole host of others that are on your home network. All of these are entry points into your home and should be kept updated at all times.

Other results of the proof-of-concept attacks included the ability to secretly plant door lock codes and trigger fake fire alarms. The exploits are not limited to any particular model. In the report, the authors noted that “55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device.”  Forty-two percent of the 499 apps tested granted access that was not requested.

Samsung has stated that the issues “would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication.” However, it also has put in place additional security review requirements for any SmartApps.

© Copyright 2016 Stickley on Security