A report from a University of Michigan & Microsoft research team demonstrates how Samsung’s SmartThings platform may be especially vulnerable to hackers. Security experts from Rapid7, prpl Foundation and Veracode provide an insight below.
Deral Heiland, Research Lead, Rapid7:
The University of Michigan research conducted on the Samsung Smart home IoT solutions points out several key issues that span well past Samsung and potentially impacts a large quantity of smart technology. Three important areas were pointed out during this research.
- Excessive access rights of the primary Mobile application
- Insecure 3rd party application with excessive access rights to other application data or services
- Social engineering attacks against mobile users
First, one of the key things pointed out within this research is access rights. When dealing with mobile applications it is very common for mobile apps to be granted more access rights then what is needed for them to function properly, as was pointed out within this research. The researchers successfully used the elevated rights to carry out further exploitation. It is also important to note this issue is widespread across many mobile applications, not just the Samsung Smart Home application.
As for the second key area, the installation of third-party applications can often lead to those applications having access to critical security data of other installed applications and services. Although applications should be protected from this cross-application style attack, this method was used by the researchers to interact with critical security functions within the Samsung Smart Home service. By attacking a weaker application on the phone it may be possible to exploit other critical applications.
Finally, one of the proof of concepts conducted during this research required the user to click on a URL link for the attack to be successful. This points out one of the most common issues we must deal with on a day-to-day basis, the Phishing attack. By tricking an end user into carrying out some operation, this often leads to the compromise of the system. It is important whether using smartphones or standard computers that we all remain diligent against this style of attack.
Cesare Garlati, Chief Security Strategist, prpl Foundation:
“The home is something that is precious – you wouldn’t just allow anyone through your front door, so why do people do it with their connected devices so willingly? When it comes to IoT in the home, people must realise that security of these devices just doesn’t exist yet. A case such as this brings forward a number of questions, particularly: Do these systems really need a mobile app? Does the app really need to connect to central server in the cloud? And most importantly, is it sound to have a smartphone (especially running on Android) control anything that is critical to you?
“These are all key questions to address when we look at IoT, especially in the home as a vast majority will not use apps that are developed by the OEM, but rather assembled using a host of third parties – of which they have no control or visibility over. In order to combat this, OEMs should implement open and interoperable standards in their devices and Home IoT Architecture should rely only on a local hub, which should be secured. If researchers can break these devices, it’s a safe bet that criminals may have already found a way in, too.”
Paul Farrington, Senior Solution Architect, Veracode:
“The Internet of Things (IoT) revolution had paved the way for new opportunities for revenue and growth, but it also poses a growing security challenge. Worryingly, Gartner is predicting that by 2020 more than 25 per cent of identified attacks in enterprises will involve the IoT. Indeed, in industries where we’re already seeing a greater number of connected devices being introduced, such as healthcare and automotive, we are witnessing an ever increasing number of security vulnerabilities being discovered.
While the risk of vulnerable IoT devices is becoming increasingly apparent through the number of vulnerable devices and subsequent breaches, security frequently remains an afterthought for the industry rather than an integral factor from the design phase. Such an approach ultimately poses a massive threat to the consumer. Indeed, the latest vulnerabilities found in the Samsung Smart Home System demonstrated how these flaws can also significantly impact physical as well as information security, with researchers able to open electronic locks, change the smart home’s holiday settings, and even set off a house’s fire alarm with false messages.
For organisations deploying consumer devices, it is important that they consider the significant implications that vulnerable applications can pose to the wider corporate network. Indeed, for the Samsung Smart Home System, the weaknesses are attributed to the openness of the system. This once again highlights how important it is that smart devices are provisioned on a network separate to any with access to corporate or sensitive information to ensure that they aren’t exploited, which ultimately could lead to a significant data breach.”