Ethical hackers have demonstrated that they could breach the security of an experimental smart home. These breaches allowed them to set off fire alarms, turn off lights or even obtain locked PIN codes and walk right through the front door.
Disguised Malware Spies on PIN Codes
Using lock pick malware disguised as a battery level app, the researchers were able to monitor the PIN that was used to unlock the home. Once the PIN was input by the Smart Home resident, the malware sent a text to the hacker containing the PIN code.
This was made possible by the wide range of control granted to Smart Home apps. The researchers found more than 40% of nearly 500 apps tested granted capabilities not specified in their code.
“Spare-Key” Remotely Programmed
App developers occasionally deploy an authentication method called OAuth incorrectly. The combination of this mistake and the promiscuous access granted to Smart Apps allowed the researchers to remote program an additional PIN into the Smart Home door lock.
Vacation Mode Cancelled
An app allowing users to program timers on the lights, blinds, etc. of their house had its vacation mode disabled by a separate app.
Triggering Fire Alarms
The event subsystem (the stream of messages produced by devices as they’re programmed and carry out instructions) was found to be unsecure. Since this subsystem is used by devices to communicate, the researchers were able to plant false messages into the network, causing fire alarms to go off erroneously.
These issues were presented to Samsung’s SmartThings in December 2015, but a check by the researchers a few weeks ago proves the problem persists. SmartThings officials say they’re working on the issues, but they are not easily remedied. The vulnerabilities exist in multiple layers of the software, making a fix difficult.
The University of Michigan researchers will present a paper on their findings entitled "Security Analysis of Emerging Smart Home Applications" May 24 at the IEEE Symposium on Security and Privacy in San Jose.