Samsung's SmartThings connected home platform seems to have serious security issues

Researchers at the University of Michigan have found multiple security flaws in Samsung's SmartThings platform that could allow malicious apps to unlock doors, remotely set access codes to a smart home lock, falsely set off smoke alarms, or put devices on vacation mode. All the attacks showcased in the video require users to install a malicious app from SmartThings app store or click a malicious link.

It seems that most pressing issues in the SmartThings platform are the privileges given to apps, many of which they don't even need to function. For instance, a smart lock only needs permission to lock itself, but SmartThings bundles a command that allows it to unlock itself, which could then be used by a malicious app to unlock the door. Researchers showcased an overprivileged app that lets hackers program their own PIN code for a smart lock.

Researchers showcased their findings through a proof of concept app that promises to monitor battery life on various devices. However, it asks permission for a lot of other things apart from a permission to monitor battery level on products and users unknowingly allow the app. The team analyzed 499 SmartApps and found that around 42 percent apps are currently overprivileged.

Following this report, a SmartThings representative said, “The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third-party developers to follow SmartThings guidelines on how to keep their code secure. Following this report, we have updated our documented best practices to provide even better security guidance to developers,” in an email to The Verge.

Alex Hawkinson, CEO of SmartThings, said the company has issued a number of updates after the findings in the research. The company claims that it conducts app reviews to filter out malicious apps, but the researchers aren't convinced that the company's efforts are enough to stop these attacks. Samsung acquired SmartThings two years ago when the concepts of connected home and IoT were fairly new.