Vulnerabilities in Samsung's SmartThings

Interesting research: Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, "Security Analysis of Emerging Smart Home Applications":

Abstract: Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such emerging smart home programming platform. We analyzed Samsung-owned SmartThings, which has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. SmartThings hosts the application runtime on a proprietary, closed-source cloud backend, making scrutiny challenging. We overcame the challenge with a static source code analysis of 499 SmartThings apps (called SmartApps) and 132 device handlers, and carefully crafted test cases that revealed many undocumented features of the platform. Our key findings are twofold. First, although SmartThings implements a privilege separation model, we discovered two intrinsic design flaws that lead to significant overprivilege in SmartApps. Our analysis reveals that over 55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock codes. We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. We conclude the paper with security lessons for the design of emerging smart home programming frameworks.

Research website. News article -- copy and paste into a text editor to avoid the ad blocker blocker.

EDITED TO ADD: Another article.

Posted on May 2, 2016 at 9:01 AM • 19 Comments

Comments

Who?May 2, 2016 10:16 AM

As Ray Dillinger says, it is the Internet of Targets.

...and too easy ones. Cybercriminals love low hanging fruits.

Randy StegbauerMay 2, 2016 10:51 AM

So, maybe OK for toasters and refrigerators, but not security systems or locks...unless getting into one makes it easier to get into another.

And now, since Samsung has the infrastructure setup and running it will be unlikely for them to improve the security.

LeBoeufMay 2, 2016 11:15 AM

Clearly it requires the Homeowner to fall for installing a Trojan Horse to make this work. (according to the document) How is that different than any other computer system. It's far easier to steal bank money if you can get a trojan horse in, than it is to trick the user, break into their house, NOT get caught on the independent camera system, other motion sensors, door closures, people being home, etc. and then hall away what ever it is you wanted.

albertMay 2, 2016 11:37 AM

Samsungs SmartThings have vulnerabilities?

I'm gobsmacked!

They say folks get the kind of government they deserve. I'm not sure that's as true as it may have been.

It certainly looks like they're getting the kind of toys they deserve...in spades! Insurance companies and lawyers are the big winners here.

Has anyone read the TOS?

Limitation of Liability. TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, TORT, CONTRACT, STRICT LIABILITY, OR OTHERWISE) SHALL SMARTTHINGS BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING DAMAGES FOR LOST PROFITS, LOSS OF GOODWILL, WORK STOPPAGE, ACCURACY OF RESULTS, OR FAILURE OR MALFUNCTION OF ANY DEVICE CONNECTED TO THE SERVICES, OR (B) ANY AMOUNT, IN THE AGGREGATE, IN EXCESS OF THE GREATER OF (I) $100 OR (II) THE AMOUNTS PAID BY YOU TO SMARTTHINGS IN CONNECTION WITH THE SERVICES IN THE TWELVE (12) MONTH PERIOD PRECEDING THIS APPLICABLE CLAIM, OR (III) ANY MATTER BEYOND OUR REASONABLE CONTROL. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES, SO THE ABOVE LIMITATION AND EXCLUSIONS MAY NOT APPLY TO YOU.

Risk of Loss; Insurance. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SERVICES (INCLUDING, WITHOUT LIMITATION, USING THE SERVICES TO SECURE OR OTHERWISE CONTROL ACCESS TO ANY REAL OR PERSONAL PROPERTY) IS SOLELY AT YOUR OWN RISK, AND THAT YOU ACCEPT RESPONSIBILITY FOR ALL LOSSES, DAMAGES AND EXPENSES ARISING OUT OF SUCH USE. SMARTTHINGS IS NOT AN INSURER. YOU ARE RESPONSIBLE FOR MAINTAINING INSURANCE COVERING ALL LOSS, DAMAGE OR EXPENSE, WHETHER FOR PROPERTY DAMAGE, PERSONAL INJURY (INCLUDING DEATH), ECONOMIC LOSSES OR ANY OTHER FORM OF LOSS, DAMAGE OR EXPENSE ARISING OUT OF OR FROM (I) THESE TERMS, OR (II) THE SERVICES.

Indemnity. You agree to indemnify and hold SmartThings, its affiliates, officers, agents, employees, and partners harmless for and against any and all claims, liabilities, damages (actual and consequential), losses and expenses (including attorneys' fees) arising from or in any way related to any third party claims relating to (a) your use of the Services (including any actions taken by a third party using your account), and (b) your violation of these Terms. In the event of such a claim, suit, or action ("Claim"), we will provide notice of the Claim to the contact information we have for your account (provided that failure to deliver such notice shall not eliminate or reduce your indemnification obligations hereunder).

Assignment. You may not assign, delegate or transfer these Terms or your rights or obligations hereunder, or your Services account, in any way (by operation of law or otherwise) without SmartThings's prior written consent. We may transfer, assign, or delegate these Terms and our rights and obligations without consent.

Choice of Law; Arbitration. These Terms are governed by and will be construed under the laws of the State of California, without regard to the conflicts of laws provisions thereof. Any dispute arising from or relating to the subject matter of these Terms shall be finally settled in San Francisco County, California, in English, in accordance with the Streamlined Arbitration Rules and Procedures of Judicial Arbitration and Mediation Services, Inc. ("JAMS") then in effect, by one commercial arbitrator with substantial experience in resolving intellectual property and commercial contract disputes, who shall be selected from the appropriate list of JAMS arbitrators in accordance with the Arbitration Rules and Procedures of JAMS. Judgment upon the award rendered by such arbitrator may be entered in any court of competent jurisdiction. Notwithstanding the foregoing obligation to arbitrate disputes, each party shall have the right to pursue injunctive or other equitable relief at any time, from any court of competent jurisdiction. For all purposes of this Agreement, the parties consent to exclusive jurisdiction and venue in the state or federal courts located in, respectively, San Francisco County, California, or the Northern District of California.

Simply stated, they absolve themselves of -any- responsibility for -anything- that happens as a result of using their products.

Welcome to the IoT Casino. It's like any other software/Internet based system. We build shit and you buy it. It's a win-win.

. .. . .. --- ....

David LeppikMay 2, 2016 11:46 AM

@LeBoeuf: computers and embedded devices are much different, even if they use the same processors. Would you even know how to install software on your microwave or thermostat?

Microwaves ovens, cars, and dishwashers have all had real CPUs for decades, but without a user-accessible programming interface. With the exception of Tesla, they aren't designed to have over-the-air software updates, or even software-only updates at all. People don't expect them to change without a technician replacing a part.

Contrast this with PCs, where people expect software to ask them to install a new program, or to type the administrative password, all the time.

K.S.May 2, 2016 1:53 PM

@albert

Samsung lawyers watched Space Odyssey and became very concerned about legal implications of pod door liability.

TorqueMay 2, 2016 2:36 PM

Folks, the U of M guys are not idiots, they worked with Samsung and the problem was totally fixed before they released the story.

albertMay 2, 2016 2:58 PM

@Torque,
Citation please.

According to the paper (cited by Bruce, Appendix D), Samsung is working on the problem. It's not "totally fixed".

If I were a betting man, I'd bet dollars to donuts that there will -always- be attack vectors into their system. As I pointed out, Samsung bears -no- legal liability, only bad publicity. They will address the issue to mitigate criticism, not to make a safer product.

. .. . .. --- ....

Ergo SumMay 2, 2016 5:29 PM

@albert...

If I were a betting man, I'd bet dollars to donuts that there will -always- be attack vectors into their system. As I pointed out, Samsung bears -no- legal liability, only bad publicity. They will address the issue to mitigate criticism, not to make a safer product.

How is that different from any other software companies? It's not like they are going to give you any warranty for their full of holes OS, apps, etc.

@Randy Stegbauer...

So, maybe OK for toasters and refrigerators, but not security systems or locks...unless getting into one makes it easier to get into another.

It's not OK... Don't burn my toast and keep my beer cold... :)

Dirk PraetMay 2, 2016 7:29 PM

@ SoWhatDidYouExpect

It is all very simple: don't buy or use that crap!

For now, that's still an option, but in a couple of years from now all of that stuff is going to be ubiquitous with "analog" alternatives harder and harder to come by. And those refusing to hook up their IoT-enabled stuff probably facing crippled or no functionality when the device can't call home.

For a general idea of what's coming our way, check the Twitter account @InternetofShit .

@ albert

From the TOS: Choice of Law; Arbitration.

For those not familiar with the concept of arbitration, this is probably one of the least understood and most insidious clauses in any contract, agreement or TOS. It actually means that you voluntarily give up your rights to a trial in a regular court and instead agree to resolving any disputes in front of an arbitrator chosen by the party you contracted with.

In the US, there is a reasonable chance that if you have signed an employment agreement, a credit card contract, a health insurance application, or a variety of other contracts, you have probably agreed to arbitration without even knowing it. In the EU, consumer arbitration is much more restricted because the consumer is a non-professional contracting party acting from an economically disadvantaged bargaining position. As a result, the EU acknowledges that use of arbitration for the resolution of consumer disputes entails the risk that consumers will generally be subjected to an unfair arbitral proceeding.

@ Randy Stegbauer

So, maybe OK for toasters and refrigerators, but not security systems or locks

Actually, not even for toasters, refrigerators, toilet seats, Fitbits etc. The entire point of IoT devices is to collect data about its users and send these back to the vendor to be mined, exploited and sold, in the process creating additional attack surfaces for governments and criminals. It's why any such devices at my place are on completely segregated, strictly monitored and strongly firewalled network segments (ingress and egress) that have no access whatsoever to other local subnets.

Nick PMay 2, 2016 8:51 PM

@ Dirk Praet

"It actually means that you voluntarily give up your rights to a trial in a regular court and instead agree to resolving any disputes in front of an arbitrator chosen by the party you contracted with."

"In the EU, consumer arbitration is much more restricted because the consumer is a non-professional contracting party acting from an economically disadvantaged bargaining position. As a result, the EU acknowledges that use of arbitration for the resolution of consumer disputes entails the risk that consumers will generally be subjected to an unfair arbitral proceeding. "

Excellent wording as usual. I wasn't aware of EU's restrictive position. That's a great alternative. The only time I've seen arbitration as a positive thing was a union contract where employer and union agreed to it. The contract was mainly about pay, breaks, promotions, and so on. Things that can be caught quickly with procedural and/or financial ways to handle it. Not something needing a $200+K reward or tens of millions in fines *usually*. ;) The arbitration seemed to provide a benefit to the workers who weren't legally savvy, didn't want to fight a trial, and had a union rep supporting the arbitration.

I mean, small claims court might help here but the company was in all kinds of places, esp rural. So, relatively low consequence stuff with people unable to do court seems major use-case for arbitration.

BearMay 2, 2016 10:12 PM

Internet of things, my arse.

It's all a misunderstanding; actually it was supposed to be called the Internet Of Targets.

DroneMay 2, 2016 11:45 PM

Let's be careful how loud we scream about the IoT and insecurity - lest we want Big Government to step in and "fix" it for us! The market will expose the bad actors. The cited paper in this post is one example.

fajensenMay 3, 2016 4:11 AM

The market will expose the bad actors
Suuure - Just like "the market" stepped in and "fixed" all of the securities fraud and abuse in the naugthies!

Fraud is simply the most efficient business model, left to "the market" fraud will easily undercut and outperform any other possible business.

The same goes for security, the most insecure and crappy products costs the leasts to develop, test and provide the added bonus by insecurity, which is that the data (and access to functionality) can easier be extracted and sold off to interested parties without the OEM being seen to be doing it.

Just like we went with "finansialisation" - the profit off that big GE freezer we bought on credit is not made on the sale of the thing itself but on the derivatives that can be crafted from the financing deal on it, shown by GE-finance being *the* profit center of GE.

The same will play out with IoT, the device is irrelevant because it will quickly be sold at a very marginal profit as a channel for the real business model. It is using the data and the access into the buyers private sphere that will yield the real profit. The IoT vendors will first become data-aggregators and then they will move over to behavioural analysis and "nudging" - for a fee.

With IoT one can actually measure directly how often a "Smart TV" add makes the consumer go to the "Smart" fridge and fetches a specific brand of beer - tagged with a "smart" chip. There is simply no way within capitalism that THAT market will not totally dominate "The Market for Privacy". The cash flow from the former will be magnitudes different. Who ever comes in ahead of the pack with "1 on 1 MI augmented advertising" will be the next Google - with an exponent or two added to the stock value. "The Market" will be piling in on that during the next decade.

... In the EU they now have introduced data-protection laws with fines up to 4% of global turnover. Provided that Lobbying, TTIP and TISA doesn't kill it, The Law and Enforcement of the Law, not "the market" should help clean up the worst actors. But, I'll still be buying the stocks.

CuriousMay 3, 2016 9:02 AM

This thread about "smart things" made me think about what I think of as being an old system of security, like with a mechanically locked door, and that it afaik incorporate just a few parties, that with the internet-of-things as I imagine could compulsively leads to multi party relations, probably helps deteriorate not only the security one thinks one have, but also undermining the privilege as such of having security as such (think here of privacy as being a right for the individual, for having or choosing things so that others aren't entitled nor even being encouraged to exclude 'your' opinion about things). I think it would be important to include the following "things" as being 'subject matter' regarding everyone's opinions: 'choices', 'expectations', 'presumptions', 'hopes and 'common sense of man (but not "society", oddly enough)'.

("Society" as a metaphorical construct in any way, would not entail moral actors, as explained later here below.)

I wonder if perhaps it could be said that US law is really being ignorant, of anything related to an individual by even having such words/terms as "expectation" alone (heh, "all one"), if being treated as if 'expectation' was a delegated belief that by merit of recognition also might have the side effect of simply excluding anything that pertains to an individual as 'rights', and any understanding of such rights (incl. the opinion, beliefs, knowledge, existence even, of an individual).

I like to think that, usually, the implementer, owner or the supervisior for one's locked door at home, probably involve just a few parties; yourself with your key, the company that makes the lock, and whoever, if any, that actually owns your property and door/lock. Adding more parties to this, allowing for any number of additional intruders as a particular problem in itself, seem to not only weaken what one could call 'security' as an effect, in the sense of a door not ending up allowing an intruder to pass through, but I think such technology that in this sense would allow what I just now called "any number of additional intruders", I think it would be fair to consider such technology to be intrusive if ending up trivializing not only the security of someones house for example, but also and more importantly perhaps for discussion about law, that such tech trivializes and in effect undermines peoples need/demand for 'privacy' (specifically if people's real privacy doesn't really exist as a legal entity and whereof a governments idea of 'privacy' can't or won't include the needs and demands on any one individual).

I think, being a customer of internet-of-things should imo never entail the trivialization, or, the negation of rights, even if being imaginary rights (metaphorical/imagined or even based on an individuals expressed or imagined need for privacy), in the form of choices (own), expectations (own), presumptions (own), hopes (own), and ones own belief in common sense. The last part could perhaps be particularly interesting, as that notion of "common sense" probably will challenge common idea about common sense (think tradition and history), and that would as I see it possibly open up for new things, new ideas and perhaps more importantly, new laws and regulations that favor the individual as having rights as such. So in a way, I suspect that notions or specific ideas about "common sense" if taken too seriously, could perhaps end up being used as a rhetorical ploy for simply wanting to be pragmatic, but ofc being pragmatic is nothing like common sense if you think about it. Being pragmatic always favor the acting party, as a moral choice as such, while common sense favor pretty much all the others as well for acting on the will to do something in particular. I think it should be obvious that being a member of a group that somehow is associated with having made a choice, has nothing to do with being moral if oneself is not free, willing and able to make a choice alone. Ergo, the very idea of making a choice as a group imo should not be possible philosophically speaking, or rather, metaphorically speaking. Thus I will argue, perhaps being understood by others as suggesting something provocative, that any idea of 'acting on authority' as being 'moral' as such, as if a mere subscription to common ideas, or an association to groups of people or an organization of people inferred being a moral actor as such, such is not possible I'd argue and so groups can't really be said to make choices at all, as if been/being a matter of fact. 'Generalization' is a "huge" problem this way, and should at best be considered a 'difficult' problem to even understand.

If considering a notion of there being a consumer, specifically as if the consumer by act of purchasing some tech item is having been retroactively imposed with the power of acting, or having made choice in a specific or generalized sense, I think such types of arguments should in turn be considered a moot point, and instead simply be though of as being a metaphorical construct (as if simply being rhetorical, and thus treat the meanings as generalizations, or as being imposed on the listener/reader, or at best being suggestive and thus being something of less import), and that any credence to any such ideas should be voided if politicians, authorities and anyone involved with technology were to seemingly argue that consumers already are cared for within the existing rules and regulations (and I am here simply assuming that they are not).

So, I will at the end here phrase the general question: have individuals everywhere been given the right to privacy?

Here is the kicker: one would think that people as individuals would be entitled to equal rights, for being individuals everywhere without exclusion or exception, despite age, sex/gender, looks and interests.

Presumably, as imo nation states have made impossible the very idea of individuals having rights as such, I question why that is. In my country, I'd argue that you can end up ending your life in a ditch as you die there of starvation, with no rights to be claimed by yourself, not ever, yet as a consumer, you can in a court of law actually claim rights to be brought to bear as you please given the premises in specific law for consumer purchases for goods above a certain minimum value already set by this particular law (equivalent to about $25 the last time I checked).

In this way, with the internet-of-things today, I think the lack of privacy seem like something of a humanitarian disaster that never ends, seemingly because of how the rights of individuals doesn't exist when presumably competing against state and corporate power and interests.

FsMay 9, 2016 12:29 AM

Samsung also requires that to update the firmware of your SSD drive you have to send Samsung all your computer data like serial numbers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.