ELECTRONICS COMPANY Samsung SmartThings has reacted quickly to reports about a report into the state of SmartThings security saying that it knows all about it and has it all in hand.
The firm would say that of course. Its gadgetry has been accused of being rice paper weak at protecting things, and could let third parties let off fire alarms in people's house at will. Samsung SmartThings says yes, it knows that there are issues, that the people who found them told it about those problems, and that together they are working on improving the system.
"Protecting our customers' privacy and data security is fundamental to everything we do at SmartThings. We have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows," it said as it distanced itself from problems, and pushed them in the direction of poor third party practices.
"Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes Samsung SmartThings has in place to ensure malicious SmartApps are not approved for publication" it added.
"To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp..."
The firm added that some of the weaknesses can be attributed to the openness of the system, and has updated its guidance information on best practices for developers.
We are aware of the alleged flaws because a team of researchers claimed that they could take down the system, as they explain in a paper called "Security Analysis of Emerging Smart Home Applications" that will be presented at the IEEE Symposium on Security and Privacy later this month.
ArsTechnica says that the attack works on Samsung SmartThings kit and works well, and backs this up with chunks from the paper, including: "All of the above attacks expose a household to significant harm: break-ins, theft, misinformation, and vandalism."
More information is provided by the authors and they even offer a couple of videos. It looks like a bad day to be a SmartThing. The report says that the system is vulnerable to four significant things. "We exploited framework design flaws to construct four proof-of-concept attacks that: secretly planted door lock codes; stole existing door lock codes; disabled vacation mode of the home; and induced a fake fire alarm," they explained.
"Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires.
"Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pin codes."
It found a lot of incidents of overprivilege, 40 percent of 500 apps, which is enough to suggest that it is rather common across the Samsung SmartThing ecosystem. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers
Notch-equipped handset quickly overtakes its cheaper siblings
Good news for developers; a collective shrug for everyone else