Researchers Uncover Connected Home Security Flaws

• By Sydny Shepard
• May 03, 2016

A team of security researchers have discovered multiple security flaws in Samsung’s SmartThings platform which granted cyber attackers the ability to compromise IoT homes in a variety of ways.

The team, from the University of Michigan, partnered together with Jaeyeon Jung from Microsoft Research to take a look into the connected home platform. They were able to use the vulnerabilities to exploit software to unlock doors, set new virtual keys without an owner’s permission, control fire alarms and kill vacation modes which automatically adapt lighting and security settings while owners are away.

During testing, the research team created a malicious SmartThings app which could be downloaded by a user who believed it to be the real app that pairs with the connected home device. Once the app was established, the “lock-pick malware app” was able to eavesdrop on the IoT network, set a new PIN code for the smart door locks and then send that PIN to the hacker.

Using this malicious app, the team was able to turn off “vacation mode” on the platform. The mode is a highly publicized feature of the connected home device that allows the home to look lived in while the home owners are away.

Researchers were also able to generate a “spare door key” by programming an additional PIN into the electronic lock. They were also able to turn off fire alarms within the home.

The group will release a paper later this month entitled, “Security Analysis of Emerging Smart Home Applications.” It will document their full findings and be presented at the IEEE Symposium in San Jose.