Researchers at the University of Michigan have identified a set of vulnerabilities in Samsung’s SmartThings platform that allowed them to remotely unlock doors, set off smoke alarms, and perform other unwanted actions through the use of overprivileged apps.

SmartThings is a platform designed to support the use of a variety of connected devices in a given environment. The platform can control things such as door locks, alarm systems, smoke alarms, lights, and other devices through the use of SmartApps on a mobile device. Users can perform a wide range of actions through those apps, and the researchers at Michigan found that an attacker could run a number of different attacks, thanks to the fact that many SmartApps are granted too many privileges when installed on a device.

“We found that SmartApps were significantly overprivileged: (a) 55% of SmartApps did not use all the rights to device operations that their requested capabilities implied; and (b) 42% of SmartApps were granted capabilities that were not explicitly requested or used. In many of these cases, overprivilege was unavoidable, due to the device-level authorization design of the capability model and occurred through no fault of the developer,” the researchers wrote in their paper, “Security Analysis of Emerging Smart Home Applications”.

Perhaps the most significant attack the researchers developed was one that allowed them to open a SmartThings-connected door lock remotely. This attack took advantage of the overprivileged app issue, but also relies on a user clicking on a malicious link supplied by the attacker. The attack starts with the researchers downloading a third-party app from Google Play that can control some SmartThings devices. The app asks the user to authenticate to the SmartThings platform and then authorizes a SmartApp to access some managed devices. The researchers then developed a method for stealing a victim’s OAuth token, something they accomplish through the use of a custom URL.

“Broadly, this part of the attack involves getting a victim to click on a link that points to the authentic SmartThings domain with only the redirect_uri portion of the link replaced with an attacker controlled domain. The victim should not suspect anything since the URL indeed takes the victim to the genuine HTTPS login page of SmartThings,” the researchers, Earlence Fernandes and Atul Prakash from the University of Michigan, and Jaeyeon Jung from Microsoft Research, wrote.

“Once the victim logs in to the real SmartThings Web page, SmartThings automatically redirects to the specified redirect URI with a 6 character codeword. At this point, the attacker can complete the OAuth flow using the codeword and the client ID and secret pair obtained from the third-party app’s byte code independently.”

The researchers then reverse-engineered the third-party SmartApp they used and were able to reconstruct the way that it formats commands. They then had the ability to format their own commands and send them to the SmartApp.

“After manually testing variations of command strings for a setCode operation and checking the HTTP return code for whether the command was successful, we confirmed that all types of commands (related to locks) are accepted. Therefore, we transmitted a payload to set a new lock code to the WebService SmartApp over OAuth. We verified that the backdoor pin-code was planted in the door lock,” the researchers wrote.

Samsung officials said that they have been in touch with the Michigan researchers, and have determined that the vulnerabilities the team discovered have not affected any customers.

“Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place,” Alex Hawkinson of Samsung wrote in a blog post on the topic.

Leave a Comment

Your email address will not be published.