Samsung’s SmartThings Internet of Things network is open to abuse, with hackers potentially able to break their way into a house through its front door, new research has claimed.
SmartThings allows customers to manage their connected devices at home through an Android app. Within the app is a store where third party developers can provide new apps that run in Samsung’s cloud. Currently there are more of 500 of these so-called SmartApps.
Cybersecurity researchers at the University of Michigan performed a security analysis of SmartThings and developed four proof of concept attacks.
They developed an app that disguised itself as a battery level monitor but that was able to spy on someone setting a PIN code for a door.
Researchers also showed how an existing SmartApp could be exploited to give hackers a virtual spare door key, by programming an extra PIN into a smart lock.
Another could have its holiday mode, which controls the likes of lights and blinds within the home, turned off.
The final vulnerability showed how a fire alarm could be set off by sending false messages from any SmartApp.
The researchers said the issue with the Samsung platform is it gives SmartApps too much access to devices and the messages that they generate.
They found more than 40 percent of the almost 500 SmartApps have capabilities that the developers did not originally place into their code.
Atul Prakash, U-M Professor of computer science and engineering, said: “The access SmartThings grants by default is at a full device level, rather than any narrower. As an analogy, say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets.”
Flaws within apps’ authentication methods and their event subsystems were also revealed. The latter means hackers can place erroneous events within devices, a vulnerability that led to the fire alarm being set off remotely.
Prakash said: “At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective. I would say it’s okay to use as a hobby right now, but I wouldn’t use it where security is paramount.”
A university spokesperson said SmartThings is continuing to explore ways of addressing these vulnerabilities.
Samsung acquired the SmartThings platform in 2014.