Tripwire on Security Flaws in Samsung SmartThings IoT Consumer Platform

1517 0

Researchers at the University of Michigan have discovered several security flaws in Samsung’s SmartThings Internet of Things consumer platform, allowing them to hack into the platform’s automation system and gain control over a user’s home system.

While they did not really reveal a lot of specific details, Craig Young, Cybersecurity Researcher for Tripwire says,

“One issue might be some 3rd party apps for Android that are not properly using SSL leading to intercepted OAUTH tokens. The other aspect of this research addresses questions of developer trust as they showed that they could write a battery check app with hidden malicious functionality.  This is a very serious problem across the industry as software development moves from big firms with reputations at risk to somewhat anonymous developers sometimes with minimal legal exposure.”

Craig explains,

“One way to limit exposure to these risks could be to use scanning technology to enumerate what device functionality is accessed on an app and compare whether it makes sense with the stated purpose of the app.  Unfortunately attackers can still circumvent this logic somewhat by carefully selecting the advertised functionality of a malicious app.  Another option is to request permission from users each time a sensitive operation is to be performed but this can become an annoyance and may hinder productivity.”


CraigYoungCraig Young is a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT). He has identified and responsibly disclosed dozens of vulnerabilities in products from Google, Amazon, IBM, NETGEAR, Adobe, HP, Apple, and others. His research has resulted in numerous CVE assignments and repeated recognition in the Google Application Security Hall of Fame. Craig's presentations on Google authentication weaknesses have led to considerable security improvements for all Google users. Craig won in track 0 and track 1 of the first ever SOHOpelessly Broken contest at DEF CON 22 by demonstrating 10 0-day flaws in SOHO wireless routers. His research into iOS WiFi problems more recently exposed CVE-2015-3728 that could allow devices to inadvertently connect to malicious hot spots. Craig has more recently turned his attention to a different part of the wireless spectrum with research into home automation products as well as RFID/NFC technology.

In this article