Hacking the Internet of Things
Tech companies have been pushing the Internet of Things, the concept of allowing people to control home appliances etc through their smart phones. But new findings suggest these systems can give hackers the tools needed to operate smart locks, change access codes and set off Wi-Fi enabled smoke detectors.
The University of Michigan hacked Samsung’s SmartThings in four successful attacks and used the systems own SmartApps to carry each one out.
By evaluating the platform’s security design and investigating the 499 SmartThings third-party apps (SmartApps), researchers found the biggest problem is that 40 percent of the apps are ‘over-privileged’. The idea that an app is over-privileged means it can gain access to more operations on the device than it needs to perform its function.
“The access SmartThings grants by default is at a full device level, rather than any narrower,” Atul Prakash said, computer science professor at the University of Michigan. “As an analogy, say you give someone permission to change the light bulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets.”
Over-privileged apps is the security loop-hole that allows hackers to create back doors into the SmartThings system. During the first attack, researchers were able to unlock electric doors by simply sending users a malicious link in a third-party app.
The team was also able to inject erroneous events in fire alarms or lights that turned them on or switched them to vacation mode. These results have implications for all smart home systems, and even the broader Internet of Things, researchers said.
“The bottom line is that it’s not easy to secure these systems,” Prakash said.