Researchers say there are serious security problems in Samsung’s SmartThings


(Dale C) #29

Interesting paper, is this the research that @alex is referring to?


(Mike Swanson) #30

I don’t care if it’s a platform or a third-party app: This is why I’ll NEVER connect a smart lock to any portion of automation, even for monitoring purposes.


(Tim Slagle) #31

Hey guys,

Alex has posted a response here:


(AuxMax001) #32

Curious if the “hackers” reached out to have you address the issues prior to publication? DK


(M Li) #33

ArsTechnica has a good breakdown of a new demonstrated vulnerability in SmartThings, particularly as it relates to smart locks.

Needless to say, don’t use Smart Things for anything related to security


(Tim Slagle) #34

We have been working with them for a couple weeks now.


Major Security Flaw with SmartThings, OAuth, and Zigbee
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #35

Gosh… Folks have gone over this dozens of times.

If you think your external door, “automation connected” smart locks are the biggest vulnerability to your home, then you’ve got a lot more to think about…

  • Most locks brands are susceptible to picking or even simpler, “bump keys” – get one cheap on eBay!

  • Windows are the most common path to entry, and I doubt folks have bars on all their windows and remember to keep every single one of them manually latched every night? Fresh air around here trumps security risk.

  • Even external doors are not that difficult to break open without moving the deadbolt. A connected smart lock, however, can help alert home owners to tampering attempts.


(Alex) #36

Locks only keep the good people out. My front door has a glass frame around it. If someone wanted to force their way inside, it would not matter if the lock is smart or dumb.

My smart lock, however, improves the chances that the door is actually locked.


(Jason "The Enabler" as deemed so by @Smart) #37

There isn’t a lock on the planet that is secure in your front door. A boot will defeat it every single time.

You want security, live in a bank vault.

If you want the licks and you’re worried about when you’re home and sleep, add a security layer.

A simple chain lock will stop any electronic lock pick. Plus it makes noise when you break it.

But then again, y’all are being worried about a high tech theif coming in your house.

If they are high tech enough to back your ha system, they don’t care about your house… They’ve already stolen your bank account.


#38

For the record, we contacted SmartThings with all details in Dec 2015.


SmartThings Platform Security - Response from Alex
Thoughts on Industry Standards for Vulnerability Discovery Disclosures
(Mike Swanson) #39

I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.


(Dan P Parker) #40

This is one of those silly bits of folksy “wisdom” that doesn’t stand up to even the most basic scrutiny. If it were true then there wouldn’t be any real point in having a lock, would there?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #41

Thanks for your research and the publicly available full paper at this link:

While the research raises concerns of varying degrees and is subject to review and rebuttal, I am concerned with this particular paragraph (on Page 8):

Our network protocol analysis discovered a set of unpublished
REST URLs that interact with the backend to retrieve
the source code of SmartApps for display. We downloaded all
499 SmartApps that were available on the market as of July
2015 using the set of unpublished REST URLs, and another
set of URLs that we intercepted via an SSL man-in-the-middle
proxy on the Companion App (we could not download 22
apps, for a total of 521, because these apps were only present
in binary form, with no known REST URL). Similarly, we
downloaded all 132 unique SmartDevices (device handlers).

Has this “unpublished REST URLs” vulnerability that you found which exposes the source code of Published SmartApps been fixed? @slagle, @jodyalbritton, @dlieberman?! :worried:


#42

Clarification on that. There is no vulnerability there. We only downloaded the explicitly open sourced code. The REST URLs mentioned there are only to automate the otherwise manual process of going to each app, and copy-pasting the code.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #43

Perhaps I just didn’t catch the details in your Paper, but could you share the details of the REST URLs with us (or private message me, please), so that we can further understand and verify? Thank-you.

I didn’t even know that there were 499 published SmartApps, let alone any REST URLs for fetching their code.


#44

It depends on your definition of “published”. 499 might be all SmartApps that have ever been published, including child SmartApps, and ones that have been deprecated or duplicated by new SmartApps.


(Benji) #45

[quote=“SparkyXI, post:39, topic:46834, full:true”]I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.
[/quote]

The point is, it’s the other way round in your thinking, it’s actually easier for more people to pick/bump than it is for them to ‘hack’. That’s why the article is mostly click bait/scare journalism.

Nothing makes you more frighteningly aware of just how easy it is to get in your house/car than when you lose your keys… and I do mean shockingly easy, as in usually only a few seconds kind of easy. Just go through the the locksmith/picking videos on YouTube and you’ll realise why someone who wants to rob your house will chose those methods over a ‘hack’ any day of the week.

There is only so much you can do and security should always be in layers.


(Marc) #46

Agreed completely. I have security cameras, alarm, home automation. If they want to rob me, they have more layers than the person to my left and right.


(Bobby) #47

My smart locks improve the chances that my wife won’t call the fire department to bust the door frame becuse she locked herself out of the house and there is a pot burning on the stove, while I am on business trip…(true story a few years ago)


(Chris ) #48

True enough. A system that also has motion sensors, away mode etc can let people know when you’re away which is different than a burglar picking a random house.