Summary and FAQ
We performed the first in-depth empirical security analysis of a popular emerging smart home programming platform—Samsung SmartThings. We evaluated the platform’s security design, and coupled that with an analysis of 499 SmartThings apps (also called SmartApps) and 132 device handlers using static code analysis tools that we built.
- What are your key findings?
- Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes.
- Why SmartThings?
- Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. We analyzed Samsung-owned SmartThings because it has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks.
- Can you explain overprivilege, and what you found specifically for SmartThings?
- Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality. For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege. We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.
- How can attackers exploit these design flaws?
- We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. Details on how these attacks work are in our research paper linked below.
Code & Tools
We have made three programming resources available on GitHub:
- Static analysis tool that computes overprivilege in SmartApps.
- Python script that automatically creates skeleton device handlers inside the SmartThings IDE.
- Capability documentation that we used in our analysis.
Research Paper — Distinguished Practical Paper Award at IEEE S&P 2016 (“Oakland”)
When referring to our work, please cite it as:
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash
Security Analysis of Emerging Smart Home Applications
In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016
or, use BibTeX for citation:
@InProceedings{smartthings16, author = {Earlence Fernandes and Jaeyeon Jung and Atul Prakash}, title = {{S}ecurity {A}nalysis of {E}merging {S}mart {H}ome {A}pplications}, booktitle = {Proceedings of the 37th {IEEE} Symposium on Security and Privacy}, month = May, year = 2016 }
Attack Demos
Pincode Snooping
Backdoor Pincode Injection
Disabling Vacation Mode
Fake Fire Alarm
Media Coverage
Michigan Engineering, Wired, Schneier on Security, The Verge, Gizmodo, Ars Technica, CNET, Mashable, Detroit Free Press, ZDNet, Yahoo News, Tech Times, Reddit, NDTV, SC Magazine, TechHive, WorldTechToday, Popular Mechanics, GearBrain, Phys.org, 9to5google.com, NetworkWorld, mobilesyrup, myce, BestTheNews, Android Headlines,CityNewsLine, NewsAbout.com, Top Tech News, News Factor, SANS ISC InfoSec , Sammobile, The Inquirer, Live Smart, Mobile Scout, Digital Trends, TechDirt, TecHomeBuilder,ABCNews, Business Insider, E&T, Neowin, Business Standard, Security Sales, eWeek, Softpedia, HotHardware, TechSpot, Morning News USA, Digital Spy, Betanews, IoTHub,hiddenwires, The Stack, Tech News World , Security Week, International Business Times, The Register, SANS Institute, Tech Republic
Here is an article for “The Conversation” that explains our research findings to the general reader
Radio Coverage
WWJ Newsradio 950, Hacked! The Charles Tendell Show (Live)
Vendor Statement
Alex Hawkinson, Founder, CEO of SmartThings