Researchers say there are serious security problems in Samsung’s SmartThings


(M Li) #33

ArsTechnica has a good breakdown of a new demonstrated vulnerability in SmartThings, particularly as it relates to smart locks.

Needless to say, don’t use Smart Things for anything related to security


(Tim Slagle) #34

We have been working with them for a couple weeks now.


Major Security Flaw with SmartThings, OAuth, and Zigbee
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #35

Gosh… Folks have gone over this dozens of times.

If you think your external door, “automation connected” smart locks are the biggest vulnerability to your home, then you’ve got a lot more to think about…

  • Most locks brands are susceptible to picking or even simpler, “bump keys” – get one cheap on eBay!

  • Windows are the most common path to entry, and I doubt folks have bars on all their windows and remember to keep every single one of them manually latched every night? Fresh air around here trumps security risk.

  • Even external doors are not that difficult to break open without moving the deadbolt. A connected smart lock, however, can help alert home owners to tampering attempts.


(Alex) #36

Locks only keep the good people out. My front door has a glass frame around it. If someone wanted to force their way inside, it would not matter if the lock is smart or dumb.

My smart lock, however, improves the chances that the door is actually locked.


(Jason "The Enabler" as deemed so by @Smart) #37

There isn’t a lock on the planet that is secure in your front door. A boot will defeat it every single time.

You want security, live in a bank vault.

If you want the licks and you’re worried about when you’re home and sleep, add a security layer.

A simple chain lock will stop any electronic lock pick. Plus it makes noise when you break it.

But then again, y’all are being worried about a high tech theif coming in your house.

If they are high tech enough to back your ha system, they don’t care about your house… They’ve already stolen your bank account.


#38

For the record, we contacted SmartThings with all details in Dec 2015.


Thoughts on Industry Standards for Vulnerability Discovery Disclosures
SmartThings Platform Security - Response from Alex
(Mike Swanson) #39

I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.


(Dan P Parker) #40

This is one of those silly bits of folksy “wisdom” that doesn’t stand up to even the most basic scrutiny. If it were true then there wouldn’t be any real point in having a lock, would there?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #41

Thanks for your research and the publicly available full paper at this link:

While the research raises concerns of varying degrees and is subject to review and rebuttal, I am concerned with this particular paragraph (on Page 8):

Our network protocol analysis discovered a set of unpublished
REST URLs that interact with the backend to retrieve
the source code of SmartApps for display. We downloaded all
499 SmartApps that were available on the market as of July
2015 using the set of unpublished REST URLs, and another
set of URLs that we intercepted via an SSL man-in-the-middle
proxy on the Companion App (we could not download 22
apps, for a total of 521, because these apps were only present
in binary form, with no known REST URL). Similarly, we
downloaded all 132 unique SmartDevices (device handlers).

Has this “unpublished REST URLs” vulnerability that you found which exposes the source code of Published SmartApps been fixed? @slagle, @jodyalbritton, @dlieberman?! :worried:


#42

Clarification on that. There is no vulnerability there. We only downloaded the explicitly open sourced code. The REST URLs mentioned there are only to automate the otherwise manual process of going to each app, and copy-pasting the code.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #43

Perhaps I just didn’t catch the details in your Paper, but could you share the details of the REST URLs with us (or private message me, please), so that we can further understand and verify? Thank-you.

I didn’t even know that there were 499 published SmartApps, let alone any REST URLs for fetching their code.


#44

It depends on your definition of “published”. 499 might be all SmartApps that have ever been published, including child SmartApps, and ones that have been deprecated or duplicated by new SmartApps.


(Benji) #45

[quote=“SparkyXI, post:39, topic:46834, full:true”]I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.
[/quote]

The point is, it’s the other way round in your thinking, it’s actually easier for more people to pick/bump than it is for them to ‘hack’. That’s why the article is mostly click bait/scare journalism.

Nothing makes you more frighteningly aware of just how easy it is to get in your house/car than when you lose your keys… and I do mean shockingly easy, as in usually only a few seconds kind of easy. Just go through the the locksmith/picking videos on YouTube and you’ll realise why someone who wants to rob your house will chose those methods over a ‘hack’ any day of the week.

There is only so much you can do and security should always be in layers.


(Marc) #46

Agreed completely. I have security cameras, alarm, home automation. If they want to rob me, they have more layers than the person to my left and right.


(Bobby) #47

My smart locks improve the chances that my wife won’t call the fire department to bust the door frame becuse she locked herself out of the house and there is a pot burning on the stove, while I am on business trip…(true story a few years ago)


(Chris ) #48

True enough. A system that also has motion sensors, away mode etc can let people know when you’re away which is different than a burglar picking a random house.


(Mike Maxwell) #49

well maybe, the market is a way of distributing apps without revealing the source code, open source or not.
Without the URLs being used that you mentioned, there is no way for the user to extract the smart app source code from the mobile app.
It may be that many of these apps are available in the IDE in source form, but that is an option chosen by the developer when the app is submitted for publication.
I for one could care less about the actual unpublished URL’s used for this, but would be very interested in the list of apps that this exercise exposed.
Should the above URL’s expose source code that the developer elected not to share, then this should be known to ST and the community…


(Bobby) #50

Exposing vulnerabilities is not click bait nor scare journalism. It is the readers’ call to discern if it’s a real threat and what risk they want to assume. I know that hacking my system may be easy. But I think if someone takes the time to plan an attack on my personal property, they will be successful with or without my security system.


(Jason "The Enabler" as deemed so by @Smart) #51

Well, if I’m gonna get robbed, I’d prefer to not be home when it happens. At least then my family won’t be harmed.


(Benji) #52

No but the manner in which they do is.