The promise of the upcoming Internet of Things revolution is that you’ll be able to control everything in your home and beyond from your smartphone, tablet or PC. But, connecting everything to the internet and giving users remote access is also a surefire way to entice hackers and cyber criminals, that will try to get access to all of these newly connected devices.
Unfortunately, criminals and hackers are also unwittingly helped by faulty security protocols and badly written code. This was the case, with Samsung’s SmartThings platform, one of the main IoT smart home implementations, pushed by the South Korean company.
Researchers discovered two crucial flaws in the way the platform was coded, as well as worrying traits in the way apps that connect to the platform behave. These security issues allowed security researchers at Microsoft and the University of Michigan to break into the SmartThings system, snoop on users, obtain security codes like PIN codes for smart locks, and so on.
The potential methods of attack were quite varied, as the engineers proved in their security paper, which will be presented later this month. The main vulnerability seemed to rely on users ending up on a malicious website that would steal their credentials and the OAuth token that the app used. At that point, the attacker could surreptitiously access the PIN code for a smart lock and even change the lock’s settings and behavior.
What’s even more worrying is that the flaws aren’t limited to a specific device; instead they seem to be chronic and widespread, with a majority of SmartThings apps receiving extra permissions than they were supposed to.
Since the paper was made public yesterday, SmartThings has come out disputing some of the claims from the paper and claiming that recent changes to the way OAuth is implemented have made their apps safer. That being said, there’s reason to believe that the vulnerabilities disclosed by Microsoft and University of Michigan haven’t actually been fixed, and due to their complex nature may take a long time to solve.
Source: IoT Security via: Ars Technica
11 Comments - Add comment