A smoke detector that sends you a text alert when your house is on fire seems like a good idea. An internet-connected door lock with a PIN that can be programmed from your smartphone sounds convenient, too. But when a piece of malware can trigger that fire alarm at four in the morning or unlock your front door for a stranger, your “smart home” suddenly seems pretty dumb.

The security research community has been loudly warning for years that the so-called Internet of Things—and particularly networked home appliances—would introduce a deluge of new hackable vulnerabilities into everyday objects. Now one group of researchers at the University of Michigan and Microsoft have published what they call the first in-depth security analysis of one such “smart home” platform that allows anyone to control their home appliances from light bulbs to locks with a PC or smartphone. They discovered they could pull off disturbing tricks over the internet, from triggering a smoke detector at will to planting a “backdoor” PIN code in a digital lock that offers silent access to your home, all of which they plan to present at the IEEE Symposium on Security and Privacy later this month.

“If these apps are controlling non-essential things like window shades, I’d be fine with that. But users need to consider whether they’re giving up control of safety-critical devices,” says Earlence Fernandes, one of the University of Michigan researchers. “The worst case scenario is that an attacker can enter your home at any time he wants, completely nullifying the idea of a lock.”

Unlocking Doors

The Microsoft and Michigan researchers focused their testing on Samsung’s SmartThings platform, a networked home system that's in hundreds of thousands of homes, judging by Google’s count of downloads of its Android app alone. What they found allowed them to develop four attacks against the SmartThings system, taking advantage of design flaws that include badly controlled limitations of apps’ access to the features of connected devices, and an authentication system that would let a hacker impersonate a legitimate user logged into the SmartThings cloud platform.

In the most severe of their proof-of-concept attacks, the researchers found they could exploit SmartThings’ flawed implementation of a common authentication protocol known as OAuth. The researchers analyzed an Android app designed to control SmartThings services, and found a certain code—meant to be secret—that let them take advantage of a flaw in the SmartThings web server known as an "open redirect." (The researchers declined to name that Android app to avoid helping real hackers replicate the attack.)

The researchers exploit that inconspicuous bug to pull off an intrusion worse than merely picking a lock: it plants a backdoor in your front door. First they trick a smart-home-owning victim into clicking on a link, perhaps with a phishing email purporting to come from SmartThings support. That carefully crafted URL would take the victim to the actual SmartThings HTTPS website, where the person logs in with no apparent sign of foul play. But due to the hidden redirect in the URL, the victim’s login tokens are sent to the attacker (in this case the researchers), allowing them to log into the cloud-based controls for the door lock app and add a new four digit PIN to the lock unbeknownst to the home owner, as shown in this video, sabotaging a Schlage electronic lock:

That malicious link could even be broadcast widely to SmartThings victims to plant secret backdoor codes in the locks of any SmartThings owner who clicked it, says Atul Prakash, a University of Michigan computer science professor who worked on the study. “It’s definitely possible to do an attack on a large number of users just by getting them to click on these links on a help forum or in emails,” says Prakash. “Once you have that, whoever clicks and signs on, we’ll have the credentials required to control their smart app.”

Bad Apps

The researchers admit that the other three of their four demonstration attacks require a more involved level of trickery: The attackers would have to convince their victim to download a piece of malware disguised as an app in Samsung SmartThing's dedicated app store that would appear to simply monitor the battery charge of various devices on a SmartThings home network. The challenge there would be not just in getting someone to download the app but in smuggling an evil app into the SmartThings app store in the first place, a step the researchers didn't actually attempt for fear of legal repercussions or compromising real peoples' homes.

Due to what they describe as a design flaw in SmartThings' system of privileges for apps, however, such a battery monitor app would actually have far greater access to those devices than SmartThings intended. With it installed, the researchers have demonstrated that an attacker could disable "vacation mode"—a setting designed to periodically turn lights on and off to make the owner appear to be at home—set off a smoke detector, or steal the PIN from the victim's door lock and send it via text message to the attacker. Here's a video demo of that PIN-stealing attack in action:

In a statement, a SmartThings spokesperson said that the company had been working with the researchers for weeks "on ways that we can continue to make the smart home more secure," but nonetheless downplayed the severity of their attacks. "The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," the SmartThings statement reads. The company, in other words, blames the authentication vulnerability that allowed the addition of a secret lock PIN on the Android app the researchers reverse-engineered to pull off their redirect attack.

"Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp."

It's a Privilege Problem

The researchers say, however, that their attacks would still work today as well as they did when they first approached SmartThings; neither the Android app they reverse engineered to exploit the SmartThings authentication flaw nor the privilege overreach flaw itself has been fixed. And they argue that it would be tough for Samsung's SmartThings app reviewers to detect the sort of malware they created. None of the battery-monitoring app's malicious commands were actually apparent in its code, they say, and could instead be injected from the server that controls the app when it's past that code review and running on the victim's device.

They analyzed 499 SmartThings and found that more than half of them had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren't meant to possess.

"The code is set up so we can very nicely push in the malicious stuff," says Fernandes. "But you'd have to explicitly be looking for that." As evidence that SmartThings owners would actually install their malware, they performed a survey of 22 people using SmartThings devices and found that 77 percent of them would be interested in that battery monitor app.

The researchers argue that the more fundamental issue in SmartThings' platform is "overprivilege." Just as smartphone apps must ask a user's permission for access to his or her location, a SmartThings app that's meant to check a lock's battery shouldn't be able to steal its PIN or set off a fire alarm, they argue. In fact, they analyzed 499 SmartThings and found that more than half of them had at least some level of privilege they considered overbroad, and that 68 actually used capabilities they weren't meant to possess. "It only takes one bad app, and that’s it," says Prakash. "They really need to fix this overprivilege issue."

The broader lesson for consumers is a simple one, says Michigan's Prakash: Approach the whole notion of a smart home with caution. "These software platforms are relatively new. Using them as a hobby is one thing, but they’re not there yet in terms of sensitive tasks," he says. "As a homeowner thinking of deploying them, you should consider the worst case scenario, where a remote hacker has the same capabilities you do, and see if those risks are acceptable."