Samsung's SmartThings platform is explosive new vulnerabilities, can trigger the fire alarm-vulnerability warning-the black bar safety net

2016-05-04T00:00:00
ID MYHACK58:62201674398
Type myhack58
Reporter 佚名
Modified 2016-05-04T00:00:00

Description

The researchers found that Samsung's SmartThings platform, there are multiple vulnerabilities for the attacker to invade a victim's home the door open.

! Security research team found in Samsung SmartThings platform in the presence of a plurality of security vulnerability for the network attacker to provide a variety of attack the families of the victims IOT capabilities. The team found the networking platform of the plurality of design defects, the use of software vulnerabilities can unlock the door without the owner allows can set up a new virtual button, by false information provided to open a smart lock even further by sending false information to trigger the fire alarm and turn off vacation mode, the owner left after the automatic adjustment of the lighting and security settings, etc. ! University of Michigan researchers with Microsoft Research JaeyeonJung together, published an article on the theme“emerging smart home applications security analysis”. And late last month the San Jose, IEEE seminar on demonstrated its complete research results. The article reveals IOT platform is the presence of“obvious”design vulnerability, and represents, not how long you can achieve proof of concept(proof-of-concept successfully to Samsung SmartThings system to carry out attacks. Hazard Analysis During the test, the research team created a malicious SmartThings app, the program may be a malicious link is the unsuspecting user to download or install. Once the app installation is complete, the“lock-pick malware”disguised as a Battery Monitor, can be in the IOT network on housebreaking listen for smart door lock set new PIN code and new PIN code sent to the network attacker. The APP can also use the SmartThings platform vulnerability turn off“vacation mode”, a widely used function. Set“vacation mode”, the user can automatically set the lights on and off, and can also control Home Accessories opened and closed, like curtains, etc., in order to trick the opportunistic actions of the thieves, making it think that someone in the home while the termination action. But the researchers found that the malicious app is able to turn off the mode, the use of families at risk. In addition, the team also found that: the networking system used in a popular SmartApp may also be an attacker remote use“by programming an additional PIN to the electronic lock”produced a spare key and the spare key is handed over to a“visit”your home to strangers hands. The malicious application can also send false information to trigger the fire alarm. According to the team statement, the SmartThings App Store has more than 5 0 0 species APP can control your home, these APPS most of will ask some they do not need the privileges, it also exacerbates the security problems. The research team found: that 5 0 0 the application of more than 4 0% there is“over-provided”the right of the question if things the family want to achieve a basic level of security, then, this trend must be noted, also must be changed. University of Michigan Computer Science and engineering Professor Atul Prakash said: “SmartThings this need through the App to access other connected objects in the smart home platform, in fact, in the gaps of the time very dangerous. For example, if you are able to let someone else control the Office lights, then there is also the opportunity to let someone else live the entire Office of the authority, including even the safe.” Head of research group Earlence Fernandes said: “The Samsung platform in Control basic functions, such as control curtains and other design fine, but consumers need to consider is that they really can be and how much relates to itself, its own security control program over to also in the infancy of the IOT network system to control.“ Subsequently, SmartThings CEO AlexHawkinson the first time responded to, indicates that this vulnerability has been fixed, but has started with the University of Michigan team found more potential vulnerabilities. “In the past few weeks, we've been through with the team's cooperation to fix a number of vulnerabilities, and prevent the more holes appear. More importantly, these vulnerability details has not been disclosed, and therefore did not affect the SmartApp normal use.