Researchers at the University of Michigan announced on Monday that they had discovered a series of security vulnerabilities in the Samsung SmartThings home automation system, which essentially allowed hackers to control various tasks and storm the user’s home.
The researchers, who worked with Microsoft in what may be the Internet’s first comprehensive study of the implementation of things at home, performed a system security analysis.
They were able to carry out four concept attacks that gave them the ability to enter the house or take on various jobs:
A lock-malware application that is rejected as a battery-level screen can allow a user to set a new door lock pin and send a pin to a potential hacker via text message.
SmartApp can be used to create a backup door key by remotely programming an additional key in an electronic lock.
SmartApp can turn off vacation mode – which allows users to schedule internal lights, curtains and other tasks to help secure the house while residents are in another app.
By sending the wrong message through the SmartApp application, the researchers were able to fire the alarm.
Researchers tested SmartThings because of its widespread use. The Android system app has been downloaded over 100,000 times. The SmartThings App Store, the place where third-party developers write apps to the system, has more than 500 apps.
Research has shown that the platform suffers from a vulnerability called “overprivile”, which basically means that SmartApps allow more access than originally intended devices, and devices to do those things Can be created that were not originally programmed to do.
The researchers said that developers have given additional capabilities to 40 percent of the nearly 500 applications that have been tested and incorrectly published a method of OAuth authentication. When combined with a built-in plus privilege in the system, the flaws may allow attackers to program their PIN code into the system, creating a backup key to attack the system.
In addition, the so-called “event subsystem” – the set of messages that the device generates during their programming – was unsafe, the researchers said.
He told Samsung the problem last year and is working together to fix the vulnerabilities.
“Protecting our customers’ privacy and data on smartphones is central to everything,” said SmartThings CEO Alex Hawkinson.
He said the company regularly conducts security checks for its systems and collaborates with third-party experts to stay ahead of the security teams.
Hawkinson said that the SmartThings team has worked with researchers over the past few weeks on vulnerabilities and released several updates to protect against potential vulnerabilities.
He said none of the weaknesses mentioned in the report affected customers.
As an open platform with a growing and active community of developers, SmartThings provides detailed instructions on how to secure all code and identify a reliable source. Code downloaded from an untrusted source may present a potential threat.
The company has updated its documented best practices to provide better security guidelines for developers.
Lack of development
Without knowing the details of the development, it is impossible to know how vulnerabilities could be compromised without Christopher Bud, director of global communications for threats at Trend Micro.
In general, these weaknesses point to problems in the development process, specifically the priority of security in the process, he told TechNewsWorld.
“This is a broad and common category of problems, not only in Internet of Things devices, but also desktop and mobile applications.”
The paper is to be presented later this month at the IEEE Symposium on Security and Privacy in San Jose, California.
When Intel released its diversity report last week, it experienced less diversity among its executives.
Intel is one of the few companies that is transparent about diversity. Since lack of diversity is the problem we want to solve, piracy is foolishness. This will make the problem more difficult. In fact, Intel did the right thing and punished him.
Like individuals, companies will also be less likely to do the right thing if the penalty is the reward. Given that we have been working since the 1970s to fix this problem, but largely unsuccessfully, it is surprising that taking positive steps to make progress is a wiser approach than doing the right thing companies is.