Slashdot Mirror

← Back to Stories (view on slashdot.org)

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World (arstechnica.com)

Posted by msmash on from the pick-doors-like-no-one's-watching dept.

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.

9 of 77 comments (clear)

  1. Wrong Assessment by EmagGeek · · Score: 2

    "The one posing the biggest threat was the remote lock-picking attack"

    No, the one posing the biggest threat is the false fire alarm, which could divert firefighting resources from a real fire, causing the loss of life.

    1. Re:Wrong Assessment by TWX · · Score: 3, Interesting

      The issue now is that with these vulnerable systems, depending on what a burglar is after, there may be no sign that the house was entered until long after the crime.

      The best crime is the one where no one realizes that a crime was committed. The second best crime is when, on discovery, no one knows when the crime was committed. Before, a burglar usually had to actually break something to get in, such that the evidence of the crime was discovered within hours or days. Now, if the burglar can open their phone and use and application to unlock the door, if they're after something specific and not obvious (like stored jewelery that isn't daily-wear for example) they can come and go without someone realizing until they discover said items missing.

      --
      Do not look into laser with remaining eye.
    2. Re:Wrong Assessment by Lumpy · · Score: 2

      Whereas in reality....

      Thieve wants to break in. he kicks in the door and takes your stuff. No need to buy anything as his size 12 was all he needed. 99% of all homes have completely shit for door strength and the locks and deadbolts are worse.

      then there are those pesky glass things all over houses that are easily broken that doesnt slow them down.

      --
      Do not look at laser with remaining good eye.
  2. What? Read this again! by ScentCone · · Score: 3, Informative

    The flaw is that users who click a link that takes them to some OTHER web site, where they then provide their credentials, are then vulnerable to OTHER people using their credentials? How is this even news?

    --
    Don't disappoint your bird dog. Go to the range.
  3. Re:All your house... by JaredOfEuropa · · Score: 3, Insightful

    That's where a typical home automation setup may give you an advantage over a regular alarm system. You can have it set up so that it will warn *you* instead of the cops, and let you check out the house on your cell phone using security cameras. You can then call the cops: over here they will try to respond quickly if you tell them that your house is being burgled right this minute.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  4. Re:All your house... by BarbaraHudson · · Score: 3, Funny

    Beware of BIG Dog.
    (He likes people ... preferably with ketchup)

    FTFY

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  5. overblown by jlv · · Score: 3, Informative

    This "research" is overblown hyperbole based upon tricking the user into falling for a phishing attack or by installing malware. But this big news because this shows that IOT is unsafe!

    Now excuse me, I have email from PayPal telling me to update my account, so I have to go click the link they conveniently sent me.

  6. Ah TLS/SSL ... by Wrath0fb0b · · Score: 2

    It can tell you with cryptographic certainty with whom you are talking to and that no one else can eavesdrop on your conversation. It can't tell jack about whether that's actually the entity that you want to talk to -- that's your job :-P

    I mean, HTTPS://BANKOFAMERlCA.COM looks pretty legit right? And if it's a valid certificate (for the owner of bankofamerLca.com, which is totally legit) then there's not a whole lot a browser can do besides blacklist 'known phishing sites' one at a time.

  7. Today's News... by npslider · · Score: 4, Funny

    This just in...

    A man is found trapped in his new Samsung smart-house tied up in a basement closet with two pieces of toast stuffed in his mouth, covered in ice cubes.

    Apparently a burnt toast hacker, found and exploited a security flaw in every electrically powered device in his home. After refusing to pay the ransom his microwave demanded. The microwave ordered the owners toaster to eject the toast into the owners mouth while the Dyson wireless battery powered vacuum cleaner snuck up from behind. The "possessed" cleaning appliance wrapped him up in a magnetically detachable charging cord.

    This new Dyson model, well known for its ability to remove facial hair from across the room made easy prey of the 45 year old computer programmer. The man was literally drug across his own kitchen floor kicking and sobbing, spit on by the ice maker as he frantically willed the fridge to help him, he had never done the fridge wrong. The basement door opened itself and the vacuum quickly went from suck to blow, ejecting him at near critical velocity into the open closet. The closet door self-closed.

    He was only found because the UPS deliverer, heard the commotion while passing this haunted house.

    In other news, Apple Inc. buys Microsoft, settling the largest online debate about which platform is superior...