Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World (arstechnica.com) 77

Researchers have discovered flaws in Samsung's Smart Home automation system, which if exploited, allows them to carry a range of remote attacks. These attacks include digitally picking connected door locks from anywhere in the world. The flaws have been documented by researchers from the University of Michigan ahead of the 2016 IEEE Symposium on Security and Privacy. "All of the above attacks expose a household to significant harm -- break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper. "The attack vectors are not specific to a particular device and are broadly applicable." Dan Goodin, reports for Ars Technica: Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes. The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.
This discussion has been archived. No new comments can be posted.

Samsung Smart Home Flaws Let Hackers Pick Connected Doors From Anywhere In the World

Comments Filter:
  • ... are belong to us!

    • To be fair, for most homes, they can be broken into rather easily. There is undoubtedly a door or window which is unlocked, or a Lock that isn't properly set up so you can open it with a credit card. Even with alarms, if the person gets overzealous with their home security people are too use to hearing the alarm, So the crook can go in get stuff and out until the neighbor complain about the noise.

      Locking your doors is really just saying, I am not home and please don't come in.

      The home security industry re

      • The home security industry really just plays on people's fear about getting broken into than actually offering any real benefit.

        Speaking of that, my wife and I keep seeing the same 'home security guy" prowling the street like a cat deciding which mice to pounce on. Makes me think of the movie Home Alone; a crook in a cop uniform... I love that movie.

        To top it off the insensitive clod knocks on the door at 9 pm... Perhaps it's time to drop the hot heating coil on the door knob...

        • There's really not much mechanical connection between the inside and outside doorknobs anymore. It used to be there was an iron shaft connecting the two but that made the lock vulnerable to a pipe wrench attack. On a modern door, if you hung a charcoal starter on a doorknob you would set the inside of the door (normally urethane or wood) on fire. At that point the outside would be getting hot but also smoking or bursting into flames. I wonder what would happen if you wired a large capacitor to a metal door
        • by sjames ( 1099 )

          Or just drop hot heating oil on the creep.

      • One of the door to door sales guys even admitted to me that a dog was a better security system than a security system. I looked it up after he left and apparently due to false alarms home security alarm calls are lowest priority for police, so the thieves know they have a good 10 minutes at worst to grab your TV and jewelry before they split, but few want to risk a dog bite. The article had also said that the security system sign, on the other hand, is about as good a deterrent as actually having the syst
        • Or just a sign that says "Beware of Dog".

          • Beware of BIG Dog.
            (He likes people ... preferably with ketchup)

            FTFY

          • You just acknowledged that _you know_ your dog is a hazard.

            Hope he doesn't bite anyone, because you just volunteered to pay punitive damages. Thanks shysters.

            The only sign you want is 'No Trespassing'.

            • Just as having a security sign w/o the system can be a potential deterrent, so can the "Beware of Dog" sign, minus the sign.. after all maybe there is a dog, but he's just always on break.

            • by sjames ( 1099 )

              He is announcing that his dog is a known hazard to people who break and enter. It says nothing about the dog's behavior when someone is invited in.

              • It says your dog is a hazard and you know it.

                If the dog subsequently bites someone, you have already lost the civil case.

                'Beware of Dog' signs are much rarer than they were when I was a kid. Because lawyers.

                • by sjames ( 1099 )

                  lawyer, Liar, same thing. Anyone who knows anything about dogs that they behave much differently for the cases of master present/master absent and in territory/not in territory.

                  In sane jurisdictions (rare, I know) someone who breaks and enters surrenders all expectation of safety.

                  Of course, I see a lot more "Never mind the dog, beware of owner" signs with the silhouette of a gun.

          • by PCM2 ( 4486 )

            One of my friends has a wind chime hanging on his front porch.

            Made of shotgun shells.

        • by JaredOfEuropa ( 526365 ) on Tuesday May 03, 2016 @01:00PM (#52037371) Journal
          That's where a typical home automation setup may give you an advantage over a regular alarm system. You can have it set up so that it will warn *you* instead of the cops, and let you check out the house on your cell phone using security cameras. You can then call the cops: over here they will try to respond quickly if you tell them that your house is being burgled right this minute.
          • That's a good point and use case! Although apparently with the security of those things someone in Romania is going to ransom me for Bitcoins not to SWAT me while I'm eating breakfast.
            • by npslider ( 4555045 ) on Tuesday May 03, 2016 @01:42PM (#52037725)

              This just in...

              A man is found trapped in his new Samsung smart-house tied up in a basement closet with two pieces of toast stuffed in his mouth, covered in ice cubes.

              Apparently a burnt toast hacker, found and exploited a security flaw in every electrically powered device in his home. After refusing to pay the ransom his microwave demanded. The microwave ordered the owners toaster to eject the toast into the owners mouth while the Dyson wireless battery powered vacuum cleaner snuck up from behind. The "possessed" cleaning appliance wrapped him up in a magnetically detachable charging cord.

              This new Dyson model, well known for its ability to remove facial hair from across the room made easy prey of the 45 year old computer programmer. The man was literally drug across his own kitchen floor kicking and sobbing, spit on by the ice maker as he frantically willed the fridge to help him, he had never done the fridge wrong. The basement door opened itself and the vacuum quickly went from suck to blow, ejecting him at near critical velocity into the open closet. The closet door self-closed.

              He was only found because the UPS deliverer, heard the commotion while passing this haunted house.

              In other news, Apple Inc. buys Microsoft, settling the largest online debate about which platform is superior...

          • by TWX ( 665546 )
            In theory if you have a monitorable camera system, a competent security company will check the camera feeds soon after the alarm notification. Obviously this requires that their access to the cameras works properly, and that they respond to alarms quickly, but it's still doable.

            For a security system to work best you need all points of entrance except for one to be instant-trip, as in, if someone attempts to enter through any door other than a particular one, the alarm immediately goes off and trips the
            • The insecurity of the security company's camera monitoring is pretty bad. They wanted basic port forwarding and couldn't even give me IP ranges it would be coming from. Mind you I hear reports of some large towns like austin wont even respond to a house alarm unless the monitoring company verifies via CCTV all but requiring internal CCTV that accessible remotely.

              • by TWX ( 665546 )
                That's pretty bad, about the alarm response.

                Only rule here is that if you have an alarm, you have to register it with the municipality. Alarm doesn't even have to be monitored. The fee is low enough that it doesn't seem like a cash-grab either, like $10/year if I remember right. I think the main purpose is so that they know who to contact if an alarm goes-off and no one is home.
      • That was my thought as well. High-tech attacks are becoming more prevalent with car thieves; they use replacement ECUs, devices to hack into the car's electronic locks, and GPS / GSM jammers to disable Lojack-type protection. They go to such lengths because car security got to the point where a low-tech attack is likely to get you nowhere. But low tech attacks are still enough to get you into most homes. Hackers fiddle with lockpicks, create fake master keys or keys for lock bumping, explore weaknesses
      • by PCM2 ( 4486 )

        The home security industry really just plays on people's fear about getting broken into than actually offering any real benefit.

        I'm sure homeowner's insurance premiums play a role, too.

  • "The one posing the biggest threat was the remote lock-picking attack"

    No, the one posing the biggest threat is the false fire alarm, which could divert firefighting resources from a real fire, causing the loss of life.

    • Houses are broken into the old-fashioned way all the time. This is not a new thing. Doing it remotely sounds more scary, and provides new attack vectors and ways to take advantage of such a form of entry, but there are plenty of ways into a place one wants to get into.

      It also depends on what else is connected and how that could factor in. Running a home out of fuel by running the heat non-stop and allowing it to freeze up, just screwing with the neighbors by putting on a light show, for kicks, or like said

      • Re:Wrong Assessment (Score:4, Interesting)

        by TWX ( 665546 ) on Tuesday May 03, 2016 @01:27PM (#52037627)
        The issue now is that with these vulnerable systems, depending on what a burglar is after, there may be no sign that the house was entered until long after the crime.

        The best crime is the one where no one realizes that a crime was committed. The second best crime is when, on discovery, no one knows when the crime was committed. Before, a burglar usually had to actually break something to get in, such that the evidence of the crime was discovered within hours or days. Now, if the burglar can open their phone and use and application to unlock the door, if they're after something specific and not obvious (like stored jewelery that isn't daily-wear for example) they can come and go without someone realizing until they discover said items missing.
      • If all you're considering is people breaking in and stealing your TV, then sure, this is nothing special. The thing is that this gives the attackers the same access as if they were a legitimate user. Having unlimited and undetectable (as compared to breaking the locks or smashing a window) access opens up a whole world of possibilities for things other than just stealing stuff.

        Imagine a hacker having a list of compromised homes that he sells to criminals, along with a list of times the access codes are u
        • by Lumpy ( 12016 )

          Whereas in reality....

          Thieve wants to break in. he kicks in the door and takes your stuff. No need to buy anything as his size 12 was all he needed. 99% of all homes have completely shit for door strength and the locks and deadbolts are worse.

          then there are those pesky glass things all over houses that are easily broken that doesnt slow them down.

          • by vux984 ( 928602 )

            Here's a scenario... just for example.

            Find an attractive women, or man... or maybe your into kids. Walk in their front door when they aren't home; install some stealthy cameras. You can even return to re-position or recharge them or simply retrieve them. With no breakin, the occupants don't suspect a thing.

            Or install a USB keylogger on their computer; and wait for their bank info, or all sorts of other snooping / information targeted theft etc. Get what you need for identity theft. etc.

            Or kidnapping... ex-h

          • Apparently you didn't read my post. I was specifically talking about the possibilities this opens up that don't involve a typical smash-n-grab (which, short of a gated community with armed guards, you'd still be vulnerable to regardless of security system).
        • by KGIII ( 973947 )

          If they were smart, they'd not even take the cards - they'd just run them through a skimmer (I imagine you could hook one to a cell phone) and you'd never know when it happened. Best of all, they could keep coming back once they found a victim. When "their" new card comes working, they just come back and skim the replacement. Hell, if they had the balls they could do it at night while the victim was asleep.

    • Clearly, you're not thinking selfishly enough...

  • goddamn it, CSI:Cyber was right!
    • I'm pretty sure poor Samsung ain't the only ones with weaknesses. Ever know of a system that was completely secure? Perhaps a Linux box, stuck in the center of a black hole perpetually moving itself to /dev/null, but short of that. Nope.

      • by Lumpy ( 12016 )

        Yep. ALL of this cloud based shit has the exact same problems.

        If your security or automation is cloud based, you have already failed.

  • You call them flaws the NSA calls them government mandated back doors.
    • Now there's a thought... self encrypting houses. Conversations in there would be mighty weird, forget to pass the token to your wife and., wait... now that's a good excuse..

      "I did not hear your encrypted request to take out the trash", must have an old cipher key.

      Worth a try!

      The NSA doesn't need a back door, they already bugged every 2x4, light fixture and most of all the TV remote.

  • Oh, wait, I didn't say that, wait...it was a hacker, stay out of my house..... It's amazing how people don't seem to get the fact that if you make a keyhole everyone can access, regardless of distances, it's so much easier (and fun) to pick the lock.Plus these things weren't exactly designed to be all that secure as much as cheap/convenient. From harded coded passkeys in firmware and up, the IOT things are not security they are convenience...at the price of security.
    • Just put a fingerprint sensor on everything, from the coffee pot to the garage door opener. Everyone knows those things are foolproof.

  • by ScentCone ( 795499 ) on Tuesday May 03, 2016 @12:53PM (#52037329)
    The flaw is that users who click a link that takes them to some OTHER web site, where they then provide their credentials, are then vulnerable to OTHER people using their credentials? How is this even news?
    • by MagicM ( 85041 )

      No. One of the flaws is that users who click a link that takes them to THE SMARTTHINGS LOG-IN SCREEN, where they then provide their credentials, which then sends their credentials to some OTHER web site, are then vulnerable to OTHER people using their credentials. The news is that Samsung's API happily sends log-in results to any arbitrary third party. That's bad, although "the OAuth mechanism has recently been fixed."

      By posting this here as "news" we can all feel smug and laugh at them and learn from th

      • No, the story clearly states that users who click a link that takes them to a site that LOOKS LIKE the Samsung screen but which is really another web site - where they then give up their credentials to a phony back-end system that IS NOT SAMSUNG - suddenly find themselves at the mercy of the person to whom they just handed over their credentials while not bothering to check which web site they were on. Simple phishing attack.
        • by MagicM ( 85041 )

          From the article:

          to click on an attacker-supplied HTTPS link that looked much like this one [smartthings.com] that led to the authentic SmartThings login page.

          Emphasis mine. Also you can see from the link that that is indeed what it does. Yes it's a phishing attack, but not one that uses a look-alike login page.

  • overblown (Score:4, Informative)

    by jlv ( 5619 ) on Tuesday May 03, 2016 @01:04PM (#52037409)

    This "research" is overblown hyperbole based upon tricking the user into falling for a phishing attack or by installing malware. But this big news because this shows that IOT is unsafe!

    Now excuse me, I have email from PayPal telling me to update my account, so I have to go click the link they conveniently sent me.

  • SmartThings is so flaky it doesn't work for authorized users so no worries here.
  • by Wrath0fb0b ( 302444 ) on Tuesday May 03, 2016 @01:34PM (#52037663)

    It can tell you with cryptographic certainty with whom you are talking to and that no one else can eavesdrop on your conversation. It can't tell jack about whether that's actually the entity that you want to talk to -- that's your job :-P

    I mean, HTTPS://BANKOFAMERlCA.COM looks pretty legit right? And if it's a valid certificate (for the owner of bankofamerLca.com, which is totally legit) then there's not a whole lot a browser can do besides blacklist 'known phishing sites' one at a time.

  • Explain to me again how the Internet of Things is a good idea?

    • You can't spell "idiotic" without IOT. Maybe I've gone prematurely old, but I have yet to come across an IoT feature or device that doesn't strike me as unnecessary, dangerous, or both.

      At a minimum, who the hell thought the ability to remotely unlock the door was a good idea? (Yes, sure, I know you can construct some hypothetical scenario where such a thing is useful, but weigh that against risks inherent to such a feature.) I could maaaybe see "remotely lock the door" as a good feature, but the system h

      • by KGIII ( 973947 )

        Hmm... So, you're saying that IOT is idiot missing the id? Presumably, not the Wizard of Id but the other one... You might be on to something.

  • by Anonymous Coward

    working as intended. nothing to see here. move along and keep your damn mouth shut. it took three years to get someone on the inside to do this.

    -nsa/cia/fbi

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...