Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.

Re:Wrong Assessment

[TWX]

The issue now is that with these vulnerable systems, depending on what a burglar is after, there may be no sign that the house was entered until long after the crime.

The best crime is the one where no one realizes that a crime was committed. The second best crime is when, on discovery, no one knows when the crime was committed. Before, a burglar usually had to actually break something to get in, such that the evidence of the crime was discovered within hours or days. Now, if the burglar can open their phone and use and application to unlock the door, if they're after something specific and not obvious (like stored jewelery that isn't daily-wear for example) they can come and go without someone realizing until they discover said items missing.