Earlier this week the University of Michigan issued a report,
Security Analysis of Emerging Smart Home Applications, which details the results of an in-depth study of popular emerging smart home programming platform, SmartThings by Samsung.
Written by Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, the report, which will be presented at the 37th IEEE Symposium on Security and Privacy this month, evaluated SmartThings’ security design along with an analysis of 499 of the platform’s apps (SmartApps) and 132 device handlers using static code analysis tools built by the research team.
The results, as noted by the researchers, found that SmartApps can gain access to more operations on devices than their functionality requires (“overprivileged”) and that the platform’s events subsystem (the communication system between apps and devices that allows actionable events) doesn’t not sufficiently protect events that carry sensitive information, such as lock pincodes.
The University of Michigan researchers explained that they exploited the SmartThings’ framework design flaws in four ways: by secretly planting door lock codes, stealing existing door lock codes, disabling vacation mode of the home, and inducing a fake fire alarm.
“Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality,” the researches explained on their website. “For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege.
“We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.”
The researchers, in answer to why SmartThings as the basis of their research, pointed to the emergence of several competing home programming platforms that support third-party app development—offering benefits to users but also exposing them to security risks. Samsung’s SmartThings as one of the most mature platforms on the market, also has one of the largest set of apps available while also supporting a broad range of devices (door locks, motion sensors, etc.)
Samsung has issued a statement acknowledging the report while also reassuring its SmartThings customers that the platform is secure.
“Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings,” Samsung said in the statement. We regularly perform security checks of our system and engage with professional third-party security experts, embracing their research so that we can continue to stay in front of any potential vulnerabilities and be industry leaders when it comes to the security of our platform.”
Samsung’s statement continued: “Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place.
Even though current customers have not been impacted, we take the recommendations of Mr. Fernandes, Dr. Jung, and Dr. Prakash seriously and are grateful for all opportunities to continue to improve the security of our platform.”