The researchers were also able to develop POC attacks demonstrating how they could disable vacation mode and induce a fake fire alarm. With the PoC-code researchers secretly changed the door lock codes; kidnapped established owners of the door lock codes; deactivate vacation mode in the house; triggered activation of the fire alarm. Attacks have been made possible for the two vulnerabilities in the framework of the Samsung SmartThings, which are difficult to correct. According to the security team “We found two forms of over privilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way”.
The researchers were able to open the door locks, catching OAuth token, use applications and SmartThings for user authentication. For the successful implementation of the attack, it was enough to force the user to go through a malicious link that leads to a page that looks like a legitimate page of SmartThings authentication, when the user enters all its credentials, they are forwarded to an address controlled by the hacker. Because of this, they were able to gain access to the house, as the legitimate users. Implementation of the code redirects the user, made possible by vulnerabilities in a second SmartThings. The vulnerabilities allow increasing the privileges for managing “smart home” applications. After analyzing, experts stated that more than 55% of the 499 SmartThings applications that existed had elevated privilege and 132 device handlers, they arrived at two major findings. The global threat communications manager for Trend Micro, Christopher Budd said that “Without knowing the specifics of the development, it’s impossible to know how the vulnerability was left exposed”. Christopher Budd also added that “This is a broad and common class of issues not just in IoT devices, but desktop applications and mobile apps as well”.
