Security researchers from the University of Michigan have uncovered critical design flaws in Samsung's SmartThings platform, potentially compromising any smart home relying on this ecosystem.
One key attack vector involves users downloading a malicious app from the SmartThings store or clicking a phishing link mimicking the login page. This allows attackers worldwide to steal login tokens, enabling unauthorized actions like setting PINs on smart locks—without the owner's knowledge.
The team developed proof-of-concept exploits targeting core flaws in SmartThings, a leading IoT platform powering devices from refrigerators and thermostats to locks, sensors, and security panels.
Root causes trace to improper implementation of the OAuth authorization protocol in third-party apps. Attackers can craft links that capture tokens mid-login. Exploits also disable "vacation mode," overriding automated defenses like randomized lights and blinds to simulate occupancy.
A deeper issue: Many apps request excessive permissions. Analysis of over 500 SmartThings apps revealed more than 40% grant high-level access unnecessary for their functions, amplifying risks.
Atul Prakash, Professor of Computer Science and Engineering at the University of Michigan, notes this stems from platform design limitations, not just app developers.
Samsung acknowledges the issues and is actively addressing them, though fixes for inherent design flaws may prove challenging.
This isn't isolated—IoT security woes plague the industry. A small user study underscored the problem: 20 of 22 participants granted a battery-monitoring app access to smart lock status and door codes, highlighting inadequate user awareness.
While companies bear responsibility for secure-by-design systems and better education, users must scrutinize app permissions. No need for panic; Samsung is patching major flaws, but vigilance remains key for a secure smart home.
Do you use SmartThings? Considering alternatives? Share in the comments.
