Researchers find vulnerabilities in Samsung’s SmartThings platform

Spread the love

Researchers from Microsoft and the American University of Michigan have found multiple vulnerabilities in Samsung’s SmartThings platform. This made it possible, for example, to set the pin code of a door and to set off the fire alarm.

The research was conducted on 499 SmartThings apps, developed by third parties, that use Samsung’s platform, a closed source backend. Therefore, the researchers conducted their analysis of the apps by means of static source code analysis. The study concludes that 55 percent of apps are requesting too many permissions, creating various security risks. A second finding is that the SmartThings event system does not adequately protect sensitive data, such as the access code for a front door.

With regard to permissions, the researchers also found that 42 percent of apps did not request permissions for certain access rights, but were granted them anyway. This was often caused by the way permissions are assigned by the different devices and was not a developer’s fault. In addition, apps often get full access to a device, although limited access is actually enough.

Often the apps do not need the requested access rights at all. For example, a smart lock could only have the option to be closed remotely, but the SmartThings API also bundles this functionality with opening a lock, The Verge illustrates. According to the researchers, the problem lies mainly in the fact that the permissions are defined too broadly.

The researchers developed several proofs of concept for the vulnerabilities found. One of these involved developing an app to measure power consumption. When installed, this app asked for access to a smart lock, which made it possible to open the door. It turned out that more than 90 percent of the 22 test subjects approved the requested access rights. Through other example scenarios, it was possible for the researchers to disable the vacation mode of smart devices, set a custom PIN for a door and trigger a fire alarm. The PIN code was set by sending a phishing e-mail, in which the OAuth token could be intercepted via a URL.

The researchers shared their findings with SmartThings. They argue to Wired that the attacks described are still possible. A SmartThings spokesperson told Wired that the scenarios described mainly depend on malicious apps being installed and developers not adequately protecting their source code. The company has therefore prepared additional information about this.

The attack illustrating setting your own PIN

You might also like
Exit mobile version