I’m a big fan of the Internet of Things (IoT), in theory. I like the idea of using small, purpose-built gadgets to make my life easier. The problem with current generation IoT devices though, is that they typically trade security for convenience. As a security professional, this is a tough compromise for me to make.
If you follow the blog, you likely saw my article on IoT cameras delivering malware last month. Having a brand new IoT device infect you with malware is probably the most extreme example of poor IoT security. Whereas, IoT devices shipping full of exploitable security holes is much more common.
Last week, researchers at the University of Michigan (UM) shared their findings around a security audit they performed on Samsung’s SmartThings home automation systems. At a high-level, they found four attack vectors that all stemmed from permission problems with the SmartThings Android app.
The SmartThings Android app includes its own SmartApps store where third-party developers can create widgets to add functionality to SmartThings devices. The researchers leveraged these SmartApps to launch their attacks.
In one attack, the researchers created their own application, disguised as a battery level monitor. When installed, the application only asked permission to monitor battery level, as you would expect. However, in reality the app had enough privileges to listen for newly entered door lock PIN codes, capture them, and send them to the researchers (or would be attackers) in a text message.
In another attack, the researchers remotely exploited another popular SmartApp to program an additional PIN into a connected door lock, giving them a literal backdoor into the house. The vulnerable SmartApp wasn’t even designed to program PIN codes into locks.
For the last two attacks, the researchers abused permissions in one SmartApp to turn off “vacation mode” and exploited another SmartApp by injecting false messages to make a fire alarm go off.
There will always be tradeoffs between security, functionality and ease of use when it comes to IoT devices. Depending on the embedded platform, remote code execution on an internet-connected toaster might not be the end of the world; that is, until it burns down your house I suppose. On the other hand, if I plan to replace my door locks with ones that I can control with my phone, I can reasonably demand the vendor delivers a properly secure system.
The Internet of Things market is still young and growing. Until security becomes a priority, you should remain mindful of the impact a compromised IoT device might cause on your network. – Marc Laliberte