Internet-connected smart home fixtures and appliances that you can control on your mobile device have a lot of appeal — until a stranger from another country or next door unlocks your smart lock or sets off the fire alarm.
Security researchers from the University of Michigan found that they could do exactly those and more when they tested the Samsung SmartThings platform. SmartThings is a platform for networking smart locks, thermostats, appliances and security systems for the home. Their research uncovered some of the Samsung smart home platform’s weakest spots that can be used by malicious hackers to remotely attack and take over your system. Once that happens, malicious hackers can do pretty much everything that you can do — including unlocking your door from anywhere.
Other attacks that the researchers carried out include texting a smart lock’s PIN code after it was retrieved by a malicious app, disabling preset modes and triggering false fire alarms. The worst of them all, however, was the attack that enabled the hackers to remotely open a connected smart lock by forcibly injecting a PIN via a system backdoor, giving the hackers prolonged and undetected access to the attack subject’s home. For this, the researchers took advantage of vulnerabilities in an undisclosed app in the SmartThings app repository.
Two flaws in SmartThings’ design enabled the researchers to succeed in hacking into the system. They said that the SmartThings’ framework allowed for over-privileging of apps. That is, even an app whose sole function is to lock and unlock doors gets more privileges than it actually needs. Further, the SmartThings app was developed using the Groovy programming language, which made code injection easy for the researchers. The researchers found that, at the time the research was conducted, more than half of the 499 available SmartApps were over-privileged and that 42 percent of the apps were given unnecessary privileges.
What’s worse is that the holes cannot be easily plugged because they have been baked into the SmartThings framework itself. So, the researchers advised consumers to be prudent when using SmartThings for connecting smart locks and other smart home devices crucial to security and privacy. They feel the system’s vulnerabilities can expose a home to harmful attacks, including theft, break-ins, vandalism and misinformation.
So what should you do to ensure the safety of your smart lock? For now, if you have a smart lock connected to the SmartThings platform, unlink it until the security holes have been plugged. Used in a stand-alone mode with its own smartphone app, it won't be vulnerable to the type of attack like the researchers were able to perform.
For smart lock owners in general? We'd recommend keeping your lock functionality separate from your smart home system. Only use it within the security system and apps that have been designed to keep your home safe.
For more in-depth information about the study, see the paper that the security researchers will be presenting at the upcoming IEEE Symposium on Security and Privacy.
[Image credit: smart house, home automation, device with app icons via Shutterstock]