May 3, 2016

University of Michigan and Microsoft Recognize Study Showing Flawed Security For Smart Homes

But new findings suggest these systems could hold hidden opportunities for hackers to break inside without being noticed. The University of Michigan used malicious apps to hack Samsung's SmartThings in four successful attacks that opened electric doors, changed devices to vacation mode and set off fire alarms.

[From article]
Transforming a home into an 'intelligent agent' allows users to monitor, control and secure it via apps and a smartphone.
But new findings suggest these systems also give hackers the tools needed to operate smart locks, change access codes and set off Wi-Fi enabled smoke detectors.
The University of Michigan hacked Samsung's SmartThings in four successful attacks and used the systems own SmartApps to carry each one out.
'It’s important to note that all the vulnerabilities are hypothetical and haven’t affected SmartThings customers’ because of the approval and review processes they have in place, but they have still worked with the researchers to further secure the platform based on their findings,' a SmartThings spokesperson told in an email.
The University of Michigan, in collaboration with Microsoft, says this study is 'the first in-depth empirical security analysis of a popular emerging smart home programming platform'.
By evaluating the platform's security design and investigating the 499 SmartThings third-party apps (SmartApps), researchers found the biggest problem is that 40 percent of the apps are 'over-privileged'.
The idea that an app is over-privileged means it can gain access to more operations on the device than it needs to perform its function.
'The access SmartThings grants by default is at a full device level, rather than any narrower,' Atul Prakash said, computer science professor at the University of Michigan.
During the first attack, researcher were able to unlock electric doors by simply sending users a malicious link in a third-party app.
If users clicked on the URL, they were brought to the SmartThings website to login their credentials.
A hacker can then redirect a bug to the app and capture the login data to 'inject' a new code into the electric door lock.
The researchers also found that it is possible for developers to create an authentication method called OAuth incorrectly.
This flaw, in combination with the over-privileged SmartApps, allowed hackers to create their own PIN code into the door lock – without the homeowners knowing.
The team showed that an existing SmartApp could be remotely used to make a spare door key virtually by programming an additional PIN into the electronic lock.
Or another can 'eavesdrop' on someone setting up their PIN code for the lock, which will then text it to the hacker.

The SmartApp, which they called a 'lock-pick malware app' was camouflaged as a battery level monitor and only showed the need for that capability in its code.
Earlence Fernandes, a doctoral student in computer science and engineering who led the study, said that 'letting it control your window shades is probably fine.'
'One way to think about it is if you'd hand over control of the connected devices in your home to someone you don't trust and then imagine the worst they could do with that and consider whether you're okay with someone having that level of control,' he said.
The final attacks were carried out by tricking tricking devices inside the home.
The team was able to inject erroneous events in fire alarms or lights that turned them on or switched them to vacation mode.
These results have implications for all smart home systems, and even the broader Internet of Things, researchers said.
'The bottom line is that it's not easy to secure these systems' Prakash said.
'There are multiple layers in the software stack and we found vulnerabilities across them, making fixes difficult.'
The researchers told SmartThings about these issues in December 2015 and the company is working on fixes.
The researchers rechecked a few weeks ago if a lock's PIN code could still be snooped and reprogrammed by a potential hacker, and it still could.
'Protecting our customers' privacy and data security is fundamental to everything we do at SmartThings,' CEO at SmartThings Alex Hawkinson shared in a recent blog post.
'We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows.'

So much for the smart home: Researchers reveal major security flaws in Samsung's SmartThings system that let hackers unlock your doors and set off alarms
Researchers found 40% of 499 SmartApps are over-privileged
Hackers can create new PIN code by sending users malicious link in app
Injected erroneous events used to trick devices to turn on or shut down
PUBLISHED: 14:06 EST, 2 May 2016 | UPDATED: 14:57 EST, 2 May 2016

No comments: