Watch Engineers Hack Your Samsung SmartThings Door Lock

[HardOCP News]

Thinking about doing the whole "smart home" thing? You might change your mind after watching this video. If you fall victim to a hack like this, you might as well have handed over the keys to your house because technically, that's what you just did. Scary, isn't it?

Cybersecurity researchers at the University of Michigan were able to hack into the leading “smart home” automation system and essentially get the PIN code to a home’s front door. Their “lock-pick malware app” was one of four attacks that the cybersecurity researchers leveled at an experimental set-up of Samsung’s SmartThings, a top-selling Internet of Things platform for consumers.

 

[jnick]

The chances of someone bashing a window in to break into my house is far greater than this. There are too many moving parts for this to happen. Not to mention, if you've implemented this system correctly, you would receive notifications anytime the door is locked/unlocked. The chances of someone identifying that you have this system, sitting outside of your house, hacking it, then entering is extremely slim.

Should they hack it just because, in an effort to leave the house vulnerable to others, again, if setup properly, you would be notified of the unlock state and can take further action.

Then, of course, there's the point where if someone has this system, there's a high probability they also have some sort of camera monitoring as well. Pair that with insurance...done deal.

Too many articles are spewing this as some kind of major flaw. It's not. It's a mix of social engineering and an improper SmartThings setup/configuration. So yes, if that's the case, then it is handing someone your keys. Otherwise, it's just another hypothetical "this could happen," should the stars align, sometime in the next 10 years.

 

[Taco]

I wish videos like this had more details, they always leave out the key facts, probably for reason. On the first 1, what battery monitoring app? Was it a fishing attack? Is it a widely installed app app and wouldn't that be where the vulnerability is? Second one, how did you target the correct phone? No matter what the answers are I suspect the vulnerabilities can be mitigated with some very basic best practice configurations.

All these publicized "hacks" never turn out to be as legitimate as these researchers trying to make a name for themselves position them to be.

 

[Gigus Fire]

so hacking is now introducing an app that asks for too many permissions and allowing the author to control what the app does.

Ok....

That's like saying if you give a copy of your keys to a robber, they will have access to your home.

 

[Taco]

It seems like almost all of these hacking stories are around an unauthorized app being installed by fishing or social engineering and that part is completely glazed over. Irresponsible. Report on it, but highlight where the breakdown actually occurred and educate people. There is value in people understanding the concepts and effectiveness of these methods. Using those methods and then blaming them on Samsung(when they apply to everyone and everything) does nothing but perpetuate these issues.

 

[ruffbytes]

It appears there is malware installed on the phone. You could probably capture anything you wished to capture on the phone.

 

[dvsman]

So the user/home owner has to download and install a "compromised" battery level app onto the same phone that they use for the door lock? I had a hard time understanding what they were saying through that south Asian accent.

In principle, this kinda reminds of the guys that can "hack" cars. What they didn't mention was 1) they had to have been inside the car at some point and 2) had to have a bluetooth / wifi dongle plugged into the OBDII diag port.

 

[NickJames]

If Ethan Hunt is hacking my home then I must really be special.

 

[Setiri]

Ok, this is silly. If you actually watch the article it's nothing but a fishing attack. "I've written an app and if the homeowner installs it... it will send me info he punches into his phone." Well no shit! You could do way more than that with that kind of attack, literally get any information the person uses their phone for. This is utterly ridiculous and frankly, bad reporting. Not to mention smart locks are no worse off than regular locks. I can show you dozens of videos from youtube of lock-pickers who will make you think that regular locks are worthless and "Why do we even use these?! They're so easy to bypass!"

Locks aren't proof against anything and everything. They're a deterrent, and as jnick above mentioned, they could just break your window if they really wanted in. Or, most don't bother with that, they just go house to house until they find a door/window unlocked. Because easier.

 

[hakstarr]

So the user/home owner has to download and install a "compromised" battery level app onto the same phone that they use for the door lock? I had a hard time understanding what they were saying through that south Asian accent.

In principle, this kinda reminds of the guys that can "hack" cars. What they didn't mention was 1) they had to have been in side the car at some point and 2) had to have a bluetooth / wifi dongle plugged into the OBDII diag port.

Not sure which "hacking cars" you are referring too. The hacking cars is a bad analogy they did not have to have an OBDII connector they were able to scan sprint cell networks for a specific port the car used for communication. Then they uploaded a custom firmware to the car because the car had no security measures in place to verify or stop the firmware from being modified/overwritten. After that they where able to control the car remotely through the sprint network. And yes i was at the Defcon talk where they explained it in detail.

As far as this "hack" goes it is a little misleading this is more of a Malware attack on your smart things then an exploited vulnerability. Basically the lesson is only install trusted apps all samsung has to do is have people submit there source code for review.

 

[Wolf-R1]

I wish videos like this had more details, they always leave out the key facts, probably for reason. On the first 1, what battery monitoring app? Was it a fishing attack? Is it a widely installed app app and wouldn't that be where the vulnerability is? Second one, how did you target the correct phone? No matter what the answers are I suspect the vulnerabilities can be mitigated with some very basic best practice configurations.

All these publicized "hacks" never turn out to be as legitimate as these researchers trying to make a name for themselves position them to be.

Agreed. My first question was 'how'? All he said was that they have access now how they gained access. Hacked phone? Etc, etc?

 

[dvsman]

Not sure which "hacking cars" you are referring too. The hacking cars is a bad analogy they did not have to have an OBDII connector they were able to scan sprint cell networks for a specific port the car used for communication. Then they uploaded a custom firmware to the car because the car had no security measures in place to verify or stop the firmware from being modified/overwritten. After that they where able to control the car remotely through the sprint network. And yes i was at the Defcon talk where they explained it in detail.

As far as this "hack" goes it is a little misleading this is more of a Malware attack on your smart things then an exploited vulnerability. Basically the lesson is only install trusted apps all samsung has to do is have people submit there source code for review.

You are talking about a different / newer case that I am. The one I was referring to was the original "hack" - the newer / latter one (which you are likely referring to) applies to cars that have onboard telematics / internet service - which, as you said, the manufacturers did not adequately secure before bringing to market. Having internet service in your car is one thing (everyone needs the web at some point), but allowing it to remotely access the BCM or ECM or PCM (or whatever) was just plain stupid.

But back to OP's point - unless you are a celebrity or have something of particular interest - the amount of time it takes to "hack" your house vs. the possible reward that may await behind your door - probably isn't cost effective in terms of man-hours and advance legwork needed.

It would be tons easier to lock-pick the lock (it still has a traditional key way lock in the video, likely for cases of power failure) or pick a different target or ... grab a rock and smash the window next to the door as has been said.

 

[windianrecords]

I have a simple Z-Wave based Nexia hub that came with my new Air Conditioner; after doing some simple scouring as to what it was doing on my network via wireshark, I got uncomfortable with not knowing exactly what everything was ... Fortunately I could just set up its own wi-fi SSID unconnected to the rest of my networks, and access the settings via their Nexia iOS app. The IoT has a long way to go, and while what this guy did is not really what its sold as, seeing stuff like this symantec tv malware set up just makes me happy I have a general understanding of what's going on ... How my TV got infected with ransomware and what you can learn from it

 

[steakman1971]

I am using a Wink hub at my house and have a few smart locks. IoT security has been very spotty - guessing Wink could be open to some of these issues as well.
Still, my kids unlock our doors and forgot to lock them all the time. Prior to the smart locks, a criminal had a 60-70% chance of our doors being wide-open. Now, I have rules in place to lock the doors and make sure the garage door is shut. Even though it might be hackable, at least the locks are more likely to be locked

 

[Zepher]

I wish videos like this had more details, they always leave out the key facts, probably for reason. On the first 1, what battery monitoring app? Was it a fishing attack? Is it a widely installed app app and wouldn't that be where the vulnerability is? Second one, how did you target the correct phone? No matter what the answers are I suspect the vulnerabilities can be mitigated with some very basic best practice configurations.

All these publicized "hacks" never turn out to be as legitimate as these researchers trying to make a name for themselves position them to be.

The app they used was one they created, which could make it's way onto the App store for people to download.
The app could also transmit GPS data as well as a pass code to the hacker so the hacker would know the location of the home as well as the passcode to get in.

 

[Taco]

Yes, but if you download an app like that from the app store, everything your phone has control over and all your data is compromised, not just SmartThings. That said, chances of you stumbling over some small time no-name app is small. It's not a Samsung issue, it's a computing in general issue and it's the same problem that's existed since for 40+ years now. *yawn*. It's not going away.

If that's unacceptable, get a tablet or something dedicated to management of your home and don't install anything but necessary apps. Treat general use devices like your phone as insecure. Though honestly if that's required, maybe technology isn't for you, because your bank accounts, identity and anything you access via that compromised device is up for grabs as well.

 

[Kibbles]

So how does the hacker know that door lock/pin code is for that particular lock at a particular house...I doubt many have their home address stored on their phone.

 

[Tsumi]

The app they used was one they created, which could make it's way onto the App store for people to download.
The app could also transmit GPS data as well as a pass code to the hacker so the hacker would know the location of the home as well as the passcode to get in.

Which goes back to safe app habits 101. Use trusted developers, well reviewed apps, and review the permissions that are asked. Downloading dubious apps is no different than downloading a fishy attachment from a fishy email.

 

[Zepher]

Which goes back to safe app habits 101. Use trusted developers, well reviewed apps, and review the permissions that are asked. Downloading dubious apps is no different than downloading a fishy attachment from a fishy email.

What I would do is post a good working app, after it gets plenty of downloads and good reviews, then during an update, I'd inject the malicious code

 

[Taco]

Yes, anyone can create a good app with plenty of downloads and good reviews anytime they want.

I think if you could pull that off, you'd just monetize it.

Fishing doesn't work on phones unless the user has rooted it, bypassed all security mechanisms and are clicking on questionable links or email attachments. Those users know the risks.

Stop defending these attention whores.

 

[Stimpy88]

But according to this forum, Samsung is the best...

 

[Taco]

You didn't read a single message in this thread before posting that tripe did you.

 

[Stimpy88]

You didn't read a single message in this thread before posting that tripe did you.

Yes, as a matter of fact I did. And my post contained something called irony, with a liberal dash of sarcasm.