SmartThings Community

Researchers say there are serious security problems in Samsung’s SmartThings


(Nosnhojm) #1

Security Analysis of SmartThings
Security Issues
Identifying the user for external API calls
Wired article - Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms
SmartTiles v5.8: Deployed to Blue & Green Editions. Release notes, etc. (follow this Topic for updates...)
Thoughts on Industry Standards for Vulnerability Discovery Disclosures
(Nosnhojm) #2

The argument seems to be around permissions; users aren’t made aware of the privileges granted to a SmartApp on a per-device basis. This might be solved as simply as a “This smart app will have the following permissions for this device” type of warning, or as complex as granular permission control (e.g., grant access to reading status, but not unlocking).

I already find granting individual device permissions to a SmartApp cumbersome; prefer just granting access to everything…but I’m not too concerned with security.


(Bobby) #3

The article should be called ‘be aware or what app you install’. And it will probably result in less approvals and more self awareness on the part of consumers.

‘Crucially, all the attacks require users to either install a malicious app from the SmartThings store or click a malicious link.’


(Marc) #4

Smarthings faces similar challenges that the Android platform faces where you have an open platform where you need to trust third party apps/developers and users must be very cautious installing applications. Obviously, ST has a ways to go with an app store/approval process similar to Google Play. This is all about growing pains of a young company facing security challenges.


Wired article - Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms
Security Analysis of SmartThings
#5

Hello Everyone

I had conducted a security study of SmartThings. I had also enlisted the help of some users here in a user study as part of that research. Well, all that work is public now. Thanks to all those who helped with the study!

https://iotsecurity.eecs.umich.edu


(Chris Etheridge) #7

Well, that’s not good.

https://www.schneier.com/blog/archives/2016/05/vulnerabilities_5.html


(Mike G) #8

Found this quite interesting but not surprising.


(joe) #9

Security is a huge problem on this platform especially if you have locks/doors that can be easily opened. I think people are generally too trusting and will install smart apps/devices written by others without reviewing what they really expose. Not too mention that the ST hub essentially punches a hole through the firewall on your local lan so anyone with malicious intentions can pretty easily listen to all of the devices on your local network and the forward that information to an external network. Security on the Local LAN?


(Larry) #10

typical inflamitory b.s… yes if you install a 3rd party app it can hack and do things… same for android phones…


(joe) #11

That is kind of the point isn’t it? Be careful what you install into your environment and don’t trust that everyone is being a nice citizen. A simple sounding “battery monitoring” app may be giving out way more privilege than you know. And on this platform there is no way to know that other than to perform an in-depth review of the code.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #13

###“Security vulnerabilities” are always relative

A window or bump-key, for example, is still a much easier way for an intruder to enter your home than hacking your smart lock, even as the number ways to defeat the lock increase.

This particular concern with the granularity of device permissions vs. Capability or highly granular feature/function permission has never been hidden and many of us have been extremely aware of this from day one. (There are plenty of lesser known issues in SmartThings, however).

While improving security granularity is undeniably beneficial, SmartThings has many ways to address the issue, including the process they already use to review SmartApps before they are published.

The most beneficial action SmartThings can take, however, is customer education; this “stuff” is extremely confusing to anyone who has no need or interest in understanding what happens in the background. In-App help pages, videos, blogs, and detailed user-friendly documentation can go a very long way to help customers understand, avoid, and mitigate and balance their risk, comfort, convenience levels.

###PS:
We and SmartThings certainly cannot count on the hyperbolic tech/gadget media to provide this valuable and vital education. Quite the opposite, in fact: Articles about smart home gadgets either ignore security risks entirely, gloss over them vaguely, or present them without the context that is necessary to accurately assess the risk.

(You know I couldn’t let this go without making a “there goes the lazy media” claim again! :wink: :speak_no_evil:)


(Jimmy) #14

I am now suspicious of all of you that write smartapps :expressionless: Now give me my tinfoil hat!


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #15

It’s in your downstairs hall closet on the left side of the top shelf. SmartTiles takes pride in monitoring all your video feeds so that we can provide this helpful “lost item recovery service”. You say you didn’t authorize any video feeds or monitoring? Oh … never mind then. :stuck_out_tongue_winking_eye:


(Dan P Parker) #16

[quote=“tgauchat, post:15, topic:46834”]
It’s in your downstairs hall closet on the left side of the top shelf. SmartTiles takes pride in monitoring all your video feeds so that we can provide this helpful “lost item recovery service”. You say you didn’t authorize any video feeds or monitoring? Oh … never mind then. :stuck_out_tongue_winking_eye:[/quote]

And…that tie with that shirt? C’mon, man!!!


(Bobby) #17

FYI @alex responded…


(Never Trust @bamarayne) #18

True. However, the nature of remote exploits still applies.

I.E. it’s easier to pull a gun on a teller than to hack a bank. But banks are targeted for hacks remotely because the payoffs can be larger and because of the nature of remotely exploiting something. You can spend alot more time on it, you can avoid detection, you can avoid accountability, etc.

The problem with a vulnerability in unlocking someone’s locks via SmartThings is that some basement dwelling script monkeys can do it and they won’t always be able to resist the idea they could just walk in and help themselves. Combine that with the fact they can tell when there was last movement, when the system was armed - if there is a mode named “Out Of Town” that is active, etc… and you have a recipe for disaster. And this is just scratching the surface of the issues… we’re talking about simple theft… things can get a lot weirder and darker than that when it comes to smarthomes and what can be discerned with that data.

Patch all the things, don’t make any excuses.

I don’t leave my doors unlock so burglars won’t break the windows.

Alex:
"Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report.

Even though current customers have not been impacted, we take the recommendations of Mr. Fernandes, Dr. Jung, and Dr. Prakash seriously and are grateful for all opportunities to continue to improve the security of our platform."


#19

Here is another article about the subject:


#20

I don’t think it’s inflammatory, and I don’t think SmartThings staff thought so either, since they did immediately make a few changes.

There are two separate questions here. First the basic issue of how are you going to handle remote operation of devices? For example, I believe that the same issue, too many permissions, is the reason why nest has not approved SmartThings as an official integration. Logitech Harmony will not allow remote control of locks. Period. Harmony activities which include locks cannot be operated through IFTTT, for example. Amazon, on the other hand, just gives people a warning that they should be aware if they are putting barrier control devices under Echo control.

The second is the question of how a platform owner, such as SmartThings, handles independently-created apps which are offered through an official platform. ( you know, those 30,000 developers. :wink:). SmartThings is essentially using an honor system by publishing developer guidelines. But those obviously can’t protect against those with malicious intent.

While smartapps available through the marketplace go through additional scrutiny, the ones published in the community forum do not.

The ability to use custom code is clearly a strength of SmartThings, but it is reasonable for industry watchers today to ask what if any protections are in place for the average person who buys a security starter kit at Sears and doesn’t read code at all?

I understand the android example, but SmartThings is also sold to people who have iPhones and have different expectations of security.

There are no easy answers here. Apple originally said that HomeKit would not allow for voice operation of locks. They got a lot of pushback on that, and eventually allowed the option. But even so, if you’re using it with the phone instead of a watch, there are a lot of barriers to convenience. ( The watch has a different locking protocol, and so it’s just more convenient to use in some cases.)

So I do think it’s an important question to raise, and an important discussion to have, even if we might not all come to the same conclusions. It may be as simple as SmartThings adding a mandatory warning when a lock is included in a smartapp installation. But it seems like a legitimate discussion to have.

JMO


(Alex) #21

I’m glad the ST is paying attention to media and takes recommendations of professional third-party security experts. However, there’s nothing new in these articles. This information has been the common knowledge of the community and same issues have been raised for years!


(Never Trust @bamarayne) #22

Which is scary.

@625alex @tgauchat

Do you know if the vulnerabilities you guys were aware of have been patched as a result?