Security Analysis of Emerging Smart Home Applications


Summary and FAQ

We performed the first in-depth empirical security analysis of a popular emerging smart home programming platform—Samsung SmartThings. We evaluated the platform’s security design, and coupled that with an analysis of 499 SmartThings apps (also called SmartApps) and 132 device handlers using static code analysis tools that we built.

  • What are your key findings?
    • Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes.
  • Why SmartThings?
    • Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. We analyzed Samsung-owned SmartThings because it has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks.
  • Can you explain overprivilege, and what you found specifically for SmartThings?
    • Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality. For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege. We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way.
  • How can attackers exploit these design flaws?
    • We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. Details on how these attacks work are in our research paper linked below.

Code & Tools

We have made three programming resources available on GitHub:

  • Static analysis tool that computes overprivilege in SmartApps.
  • Python script that automatically creates skeleton device handlers inside the SmartThings IDE.
  • Capability documentation that we used in our analysis.

Tools on Github


Research Paper — Distinguished Practical Paper Award at IEEE S&P 2016 (“Oakland”)

Download PDF

When referring to our work, please cite it as:

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash 
Security Analysis of Emerging Smart Home Applications 
In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016

or, use BibTeX for citation:

@InProceedings{smartthings16,
     author = {Earlence Fernandes and Jaeyeon Jung and Atul Prakash},
     title = {{S}ecurity {A}nalysis of {E}merging {S}mart {H}ome {A}pplications},
     booktitle = {Proceedings of the 37th {IEEE} Symposium on Security and Privacy},
     month = May,
     year = 2016
     }
                

Attack Demos

Pincode Snooping


Backdoor Pincode Injection


Disabling Vacation Mode


Fake Fire Alarm



Team

Earlence Fernandes, Ph.D. Candidate, University of Michigan

Jaeyeon Jung, Principal Security Architect, Microsoft Research (now Vice President, Samsung)

Atul Prakash, Professor, University of Michigan


Acknowledgements