Researchers at the University of Michigan have uncovered multiple design flaws in Samsung's SmartThings platform that could allow a malicious app to unlock doors, set home access codes, falsely set off smoke alarms, or put devices on vacation mode, among other attacks. Crucially, all the attacks require users to either install a malicious app from the SmartThings store or click a malicious link.

Multiple issues exist in SmartThings' framework, the researchers say, but most pressing are the privileges given to apps, many of which they don't need to function. A smart lock might only need the ability to lock itself remotely, for instance, but the SmartThings API bundles that command with the unlock command, which an attacker can leverage to carry out a physical attack. Another over-granting of permissions involves the way in which SmartApps connect to physical devices. When a user downloads a SmartApp, it asks for specific permissions to perform its intended purpose. After being installed, SmartThings then lists all the devices that could be used with that app because of its ability to sync with those permissions. But it also gives the app more access than it needs.

an app is granted way more permissions than it needs

The researchers demonstrated this finding with a proof of concept app promising to monitor battery life on various devices. If the user agreed to let the malicious — but seemingly innocuous — app access their smart lock, the researchers could then not only monitor its battery, but perform the lock's other functions, including unlocking the door. The researchers found 42 percent of 499 analyzed SmartApps are currently overprivileged in a similar way.

In another proof of concept, the researchers exploited a separate over-privilege flaw to program their own PIN code for a smart lock, allowing them to create a secret backdoor.

42 percent of SmartApps are currently overprivileged

These exploits do require user interaction, but the researchers determined that many people readily grant these privileges or are unaware of how they're granted on SmartThings. The researchers surveyed 22 SmartThings users. Ninety-one percent said they would let a battery monitoring app check on their smart lock, and consequently give the app access to its functions. Only 14 percent believed that access would let the battery app send door access codes to a remote server.

These critical flaws aren't the first to be found in connected devices and their various platforms. Earlier this year, Comcast's home security system was easily duped into letting an attacker inside. But SmartThings' issues do demonstrate the inherent security problems that can arise when a new connected business springs up. Samsung purchased SmartThings nearly two years ago when IoT was only beginning to blossom. Now, most everything connects to the internet.

SmartThings said in an emailed comment to The Verge that these findings prompted it to update its documentation for developers on how to keep their source code secure.

Samsung says its app oversight keeps users safe

"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure," a SmartThings representative said. "Following this report, we have updated our documented best practices to provide even better security guidance to developers." In a subsequent blog post, SmartThings CEO Alex Hawkinson said the company has already issued a number of updates based on the research.

The company also says it conducts app reviews to stop malicious apps before they can do harm, but the University of Michigan team isn't convinced those efforts are enough.

"Smart home devices and their associated programming platforms will continue to proliferate and will remain attractive to consumers because they provide powerful functionality," the researchers wrote. "However, the findings in this paper suggest that caution is warranted as well — on the part of early adopters, and on the part of framework designers. The risks are significant, and they are unlikely to be easily addressed via simple security patches."

7:48PM ET: Updated to include blog post from SmartThings CEO.