Tech Trend 247

Is your smart home too smart for its own good?

A home full of connected devices like front-door locks, motion sensors, thermostats and smoke alarms all talking to a central hub and controllable via an app is the promise of smart home platforms like Samsung SmartThings. But all that interconnectivity of high-value home devices is also, apparently, catnip to hackers, potential malefactors and enterprising researchers.

A new University of Michigan security study entitled Security Analysis of Emerging Smart Home Applications demonstrates how Samsung's SmartThings platform may be especially vulnerable to hackers. Written by Earlence Fernandes, Jaeyeon Jung, and Atul Prakash (Fernandes and Prakash are both from the University of Michigan, while Jung is part of Microsoft Research), the paper is being presented this month at the upcoming IEEE Symposium on Security and Privacy.

The researchers targeted SmartThings because it, like other emerging smart home platforms, allows third-party app development and there are already a large number of apps and devices that work with it.

Specifically, the researchers were concerned with what they saw as the "overprivilege" of SmartThings apps, which allows them to access more functions that they need to. For example, an app that only needs access to door lock's battery level might also have access to the device's on/off switch.

To test their theories, the research team created a handful of scary proof-of-concept attacks. In one, a SmartThings user downloads a malware app that, while helping the user set up a smart home front door lock also sends the user-generated PIN code to a would-be intruder via SMS.

The research team created a handful of scary proof-of-concept attacks.

In another attack, the researchers steal an OAuth token for an Android app that works with the SmartThings hub and reset the door lock PIN from a remote computer.

According to the study, "55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained."

While a user will set which smart devices will work with the SmartThings platform, the researchers contend that the system doesn't present enough information about all the device capabilities the system can access once it becomes a part of the platform. As the paper notes, "The SmartApp gains access to all commands and attributes of all the capabilities implemented by the device handlers of the selected devices."

Is your Smart Home at risk?

What does this mean for other smart home platforms? The researchers chose Samsung SmartThings because of the sheer number of devices and apps that work with it. But what of other platforms like Google's Nest and Apple's HomeKit?

Earlence Fernandes, who is currently a Ph.D. candidate at The University of Michigan, told Mashable that they did look at other platforms, like the similarly architected HomeKit and Google's Nest, but settled on SmartThings because they believe it's a more mature platform. The researchers based some of this on the fact that Google Play shows between 100,000 and a half a million downloads for the core Android SmartThings control app. Fernandes said he hopes other platforms can learn from their SmartThings findings and clamp down on overprivilege.

"[An] app should only have enough capabilities to do its job — no more and no less," he said.

Late last year, the researchers shared their results with Samsung, which told them it would be tightening its platform documentation and vetting procedures. However, when the team reran its tests last Friday, at least a couple of the hacks were still possible.

When contacted by Mashable for comment Samsung noted that it's "fully aware" of the University of Michigan study, but noted the narrow scope of their findings.

The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios — the installation of a malicious SmartApp or the failure of third-party developers to follow SmartThings guidelines on how to keep their code secure.

Samsung also cast doubt on one of the researches key attack scenarios.

Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp. 

However, the company then added a sort of "buyer beware" caveat:

As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third-party website, there's a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.

BONUS: The Internet of Things, Explained

Have something to add to this story? Share it in the comments.