Abusing the Internet of Things

Continuing the discussion from New to Forum - Worried about Remote Access security:

SmartThings security issues are discussed in the new book “Abusing the Internet of Things”.

Author: Nitesh Dhanjani
Publisher: O’Reilly Media, Inc.
Release Date: August 2015
ISBN: 9781491902332

Here’s some interesting tidbits from Chapter 4.

Chapter 4. Blurred Lines: When the Physical Space Meets the Virtual Space

Given that SmartThings is so focused on enabling IoT in the home, this chapter focuses on evaluating the security in the design of their products. It is important to identify companies like SmartThings and analyze what good and bad design principles at work.

In the current situation, a malicious entity can use the password reset feature (Figure 4-9) to reset a victim’s SmartThings password. All the attacker needs is temporary access to the target’s email account, which can be gained by stealing a mobile device that belongs to the SmartThings user and capturing the resetted password (Figure 4-11) just by using the user’s preconfigured email client on the mobile device.

Another issue of concern is the longevity (18,250 days!) of the access_token discussed earlier. Since 18,250 days equals approximately 50 years, a potential attacker has five decades to try to obtain the access_token and reuse it to launch commands using the graph.api.smartthings.com service.

A malicious person who knows of your cell phone number and knows that you rely on SmartThings products to remotely ensure the safety of your family could abuse this situation to cause you to leave a particular location (such as your office) and head home to check up on your family because you received a SMS from the SmartThings short code.

2 Likes

I moved 10 posts to an existing topic: Platform Security

Hey guys,

I love the passion for smartthings but the community currently has many active “security awareness” posts. We’d love for this information to be available from one post for everyone. I am going to move all these posts to the “Platform Security” thread.

Thanks!

P.S. We are taking this stuff seriously over here.