• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Not So SmartApps

May 11, 2016 By Marc Laliberte

I’m a big fan of the Internet of Things (IoT), in theory. I like the idea of using small, purpose-built gadgets to make my life easier. The problem with current generation IoT devices though, is that they typically trade security for convenience. As a security professional, this is a tough compromise for me to make.

If you follow the blog, you likely saw my article on IoT cameras delivering malware last month. Having a brand new IoT device infect you with malware is probably the most extreme example of poor IoT security. Whereas, IoT devices shipping full of exploitable security holes is much more common.

Last week, researchers at the University of Michigan (UM) shared their findings around a security audit they performed on Samsung’s SmartThings home automation systems. At a high-level, they found four attack vectors that all stemmed from permission problems with the SmartThings Android app.

The SmartThings Android app includes its own SmartApps store where third-party developers can create widgets to add functionality to SmartThings devices. The researchers leveraged these SmartApps to launch their attacks.

In one attack, the researchers created their own application, disguised as a battery level monitor. When installed, the application only asked permission to monitor battery level, as you would expect. However, in reality the app had enough privileges to listen for newly entered door lock PIN codes, capture them, and send them to the researchers (or would be attackers) in a text message.

In another attack, the researchers remotely exploited another popular SmartApp to program an additional PIN into a connected door lock, giving them a literal backdoor into the house. The vulnerable SmartApp wasn’t even designed to program PIN codes into locks.

For the last two attacks, the researchers abused permissions in one SmartApp to turn off “vacation mode” and exploited another SmartApp by injecting false messages to make a fire alarm go off.

There will always be tradeoffs between security, functionality and ease of use when it comes to IoT devices. Depending on the embedded platform, remote code execution on an internet-connected toaster might not be the end of the world; that is, until it burns down your house I suppose. On the other hand, if I plan to replace my door locks with ones that I can control with my phone, I can reasonably demand the vendor delivers a properly secure system.

The Internet of Things market is still young and growing. Until security becomes a priority, you should remain mindful of the impact a compromised IoT device might cause on your network. – Marc Laliberte

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use