Researchers say there are serious security problems in Samsung’s SmartThings

Interesting paper, is this the research that @alex is referring to?

1 Like

I don’t care if it’s a platform or a third-party app: This is why I’ll NEVER connect a smart lock to any portion of automation, even for monitoring purposes.

1 Like

Hey guys,

Alex has posted a response here:

1 Like

Curious if the “hackers” reached out to have you address the issues prior to publication? DK

ArsTechnica has a good breakdown of a new demonstrated vulnerability in SmartThings, particularly as it relates to smart locks.

Needless to say, don’t use Smart Things for anything related to security

1 Like

We have been working with them for a couple weeks now.

3 Likes

Gosh… Folks have gone over this dozens of times.

If you think your external door, “automation connected” smart locks are the biggest vulnerability to your home, then you’ve got a lot more to think about…

  • Most locks brands are susceptible to picking or even simpler, “bump keys” – get one cheap on eBay!

  • Windows are the most common path to entry, and I doubt folks have bars on all their windows and remember to keep every single one of them manually latched every night? Fresh air around here trumps security risk.

  • Even external doors are not that difficult to break open without moving the deadbolt. A connected smart lock, however, can help alert home owners to tampering attempts.

3 Likes

Locks only keep the good people out. My front door has a glass frame around it. If someone wanted to force their way inside, it would not matter if the lock is smart or dumb.

My smart lock, however, improves the chances that the door is actually locked.

5 Likes

There isn’t a lock on the planet that is secure in your front door. A boot will defeat it every single time.

You want security, live in a bank vault.

If you want the licks and you’re worried about when you’re home and sleep, add a security layer.

A simple chain lock will stop any electronic lock pick. Plus it makes noise when you break it.

But then again, y’all are being worried about a high tech theif coming in your house.

If they are high tech enough to back your ha system, they don’t care about your house… They’ve already stolen your bank account.

12 Likes

For the record, we contacted SmartThings with all details in Dec 2015.

3 Likes

I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.

This is one of those silly bits of folksy “wisdom” that doesn’t stand up to even the most basic scrutiny. If it were true then there wouldn’t be any real point in having a lock, would there?

Thanks for your research and the publicly available full paper at this link:

https://iotsecurity.eecs.umich.edu/img/Paper27_CameraReady_SmartThings_Revised_IEEEGen.pdf

While the research raises concerns of varying degrees and is subject to review and rebuttal, I am concerned with this particular paragraph (on Page 8):

Our network protocol analysis discovered a set of unpublished
REST URLs that interact with the backend to retrieve
the source code of SmartApps for display. We downloaded all
499 SmartApps that were available on the market as of July
2015 using the set of unpublished REST URLs, and another
set of URLs that we intercepted via an SSL man-in-the-middle
proxy on the Companion App (we could not download 22
apps, for a total of 521, because these apps were only present
in binary form, with no known REST URL). Similarly, we
downloaded all 132 unique SmartDevices (device handlers).

Has this “unpublished REST URLs” vulnerability that you found which exposes the source code of Published SmartApps been fixed? @slagle, @jody.albritton, @dlieberman?! :worried:

Clarification on that. There is no vulnerability there. We only downloaded the explicitly open sourced code. The REST URLs mentioned there are only to automate the otherwise manual process of going to each app, and copy-pasting the code.

1 Like

Perhaps I just didn’t catch the details in your Paper, but could you share the details of the REST URLs with us (or private message me, please), so that we can further understand and verify? Thank-you.

I didn’t even know that there were 499 published SmartApps, let alone any REST URLs for fetching their code.

It depends on your definition of “published”. 499 might be all SmartApps that have ever been published, including child SmartApps, and ones that have been deprecated or duplicated by new SmartApps.

[quote=“SparkyXI, post:39, topic:46834, full:true”]I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.
[/quote]

The point is, it’s the other way round in your thinking, it’s actually easier for more people to pick/bump than it is for them to ‘hack’. That’s why the article is mostly click bait/scare journalism.

Nothing makes you more frighteningly aware of just how easy it is to get in your house/car than when you lose your keys… and I do mean shockingly easy, as in usually only a few seconds kind of easy. Just go through the the locksmith/picking videos on YouTube and you’ll realise why someone who wants to rob your house will chose those methods over a ‘hack’ any day of the week.

There is only so much you can do and security should always be in layers.

6 Likes

Agreed completely. I have security cameras, alarm, home automation. If they want to rob me, they have more layers than the person to my left and right.

4 Likes

My smart locks improve the chances that my wife won’t call the fire department to bust the door frame becuse she locked herself out of the house and there is a pot burning on the stove, while I am on business trip…(true story a few years ago)

7 Likes

True enough. A system that also has motion sensors, away mode etc can let people know when you’re away which is different than a burglar picking a random house.