Category Archives: home security

Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

AUTHOR:  ANDY GREENBERG


Image: WIRED/SAMSUNG

A SMOKE DETECTOR that sends you a text alert when your house is on fire seems like a good idea. An internet-connected door lock with a PIN that can be programmed from your smartphone sounds convenient, too. But when a piece of malware can trigger that fire alarm at four in the morning or unlock your front door for a stranger, your “smart home” suddenly seems pretty dumb.

The security research community has been loudly warning for years that the so-called Internet of Things—and particularly networked home appliances—would introduce a deluge of new hackable vulnerabilities into everyday objects. Now one group of researchers at the University of Michigan and Microsoft have published what they call the first in-depth security analysis of one such “smart home” platform that allows anyone to control their home appliances from light bulbs to locks with a PC or smartphone. They discovered they could pull off disturbing tricks over the internet, from triggering a smoke detector at will to planting a “backdoor” PIN code in a digital lock that offers silent access to your home, all of which they plan to present at the IEEE Symposium on Security and Privacy later this month.

“If these apps are controlling non-essential things like window shades, I’d be fine with that. But users need to consider whether they’re giving up control of safety-critical devices,” says Earlence Fernandes, one of the University of Michigan researchers. “The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock.”

Unlocking Doors

The Microsoft and Michigan researchers focused their testing on Samsung’s SmartThings platform, a networked home system that’s in hundreds of thousands of homes, judging by Google’s count of downloads of its Android app alone. What they found allowed them to develop four attacks against the SmartThings system, taking advantage of design flaws that include badly controlled limitations of apps’ access to the features of connected devices, and an authentication system that would let a hacker impersonate a legitimate user logged into the SmartThings cloud platform.

In the most severe of their proof-of-concept attacks, the researchers found they could exploit SmartThings’ flawed implementation of a common authentication protocol known as OAuth. The researchers analyzed an Android app designed to control SmartThings services, and found a certain code—meant to be secret—that let them take advantage of a flaw in the SmartThings web server known as an “open redirect.” (The researchers declined to name that Android app to avoid helping real hackers replicate the attack.)
The researchers exploit that inconspicuous bug to pull off an intrusion worse than merely picking a lock: it plants a backdoor in your front door. First they trick a smart-home-owning victim into clicking on a link, perhaps with a phishing email purporting to come from SmartThings support. That carefully crafted URL would take the victim to the actual SmartThings HTTPS website, where the person logs in with no apparent sign of foul play. But due to the hidden redirect in the URL, the victim’s login tokens are sent to the attacker (in this case the researchers), allowing them to log into the cloud-based controls for the door lock app and add a new four digit PIN to the lock unbeknownst to the home owner, as shown in this video, sabotaging a Schlage electronic lock:

That malicious link could even be broadcast widely to SmartThings victims to plant secret backdoor codes in the locks of any SmartThings owner who clicked it, says Atul Prakash, a University of Michigan computer science professor who worked on the study. “It’s definitely possible to do an attack on a large number of users just by getting them to click on these links on a help forum or in emails,” says Prakash. “Once you have that, whoever clicks and signs on, we’ll have the credentials required to control their smart app.”

Read more: Flaws in Samsung’s ‘Smart’ Home Let Hackers Unlock Doors and Set Off Fire Alarms

Related Article: Smart Home Security System: The 5 Best Devices to Watch For

Get the best home security system, get assistance from the professionals at www.locksmithpeachtreecity.com

 

Advertisements

Your next home security system could deploy patrol drones

Alarm.com’s new security scheme uses machine learning to know when to call in its investigatory UAVs.

Andrew Tarantola, @terrortola

download

Security cameras are great, but only when they’re actually pointed at whatever is going on. With Alarm.com’s forthcoming smart security system, however, unexpected events will always be in focus, thanks to a veritable swarm of drone investigators.

Alarm has developed a machine learning algorithm, called the Insights Engine, that continually monitors sensors placed around your property to learn how things are normally run and to quickly identify unexpected events — say, a break-in or a water leak — when they occur. If the system spots something out of the ordinary, it will deploy a swarm of autonomous UAVs built on Qualcomm’s Snapdragon Flight drone platform to investigate. These little fliers will swarm over the event site and provide live video feeds to your phone. You can also opt in to share that video data with either Alarm.com’s central monitoring facility or directly with emergency responders. Finally we can stop relying on Lassie to alert us every dang time Timmy falls down a well.

Related Video:

Article Source: Your next home security system could deploy patrol drones

Related Article: HALT! A NEW HOME SECURITY SYSTEM DEPLOYS A DRONE TO PATROL YOUR PROPERTY